Is Liferay vulnerable to CVE-2023-29017: Critical RCE vulnerability in VM2 Sandbox library?

Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM).


  • As a customer should I mitigate the risks imposed by vulnerability "CVE-2023-29017 : Critical RCE vulnerability in VM2 Sandbox library".


    A security researcher have reported a critical Remote code execution vulnerability in 'vm2', a JavaScript sandbox library downloaded over 16 million times per month via the NPM package repository. VM2 library is  used to run untrusted code in an isolated environment on Node.js, integrated development environments (IDEs) and code editors, function-as-a-service (FaaS) solutions, pen-testing frameworks, security tools, and various JavaScript-related products.

    This vulnerability is rated 10, the highest score in CVSS system as  it could be exploited remotely and the attack complexity also is low. Vulnerability exists due to improper handling of host objects passed to `Error.prepareStackTrace` in case of unhandled async errors.

    Successful exploitation of this vulnerability may allow a remote  attacker to bypass the sandbox protections to gain remote code execution rights on the hypervisor host or the host running the sandbox, run shell commands and perform unauthorized actions on the machine hosting the sandbox.

    VM2 versions 3.9.14 and earlier are impacted by this vulnerability.


  • Liferay PaaS
  • Liferay SaaS
  • Liferay Cloud
  • Liferay DXP 7.0+


  • Liferay DXP, Liferay Cloud, Liferay PaaS and Liferay SaaS are not using (or installing) the VM2 library therefore we are not vulnerable. This issue does not affect them.

Additional Information

Was this article helpful?
0 out of 0 found this helpful