vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.
The vulnerability (CWE-94, CWE-693) consists of the fact that the vm2 sandbox protection mechanisms can be bypassed by specially crafted code executed inside the virtual machine. Malicious code is able to break out of the isolation boundaries and gain access to the Node.js host environment. After escaping the sandbox, it is possible to execute arbitrary system commands in the context of the vm2 hosting process.
An attacker can execute arbitrary code on the host system, leading to complete compromise of confidentiality, integrity, and availability of the system — including server takeover, data theft, and malware installation.
Update the vm2 library to version 3.11.0, in which the issue was fixed. Patches are available in the project's GitHub repository (commits: 2b5f3e3 and f9b700b1).
Vm2 Project vm2 — all versions before 3.11.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HVm2 Project Vm2
APPVm2 Project< 3.11.0
Related vulnerabilities
vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)
vm2 (Node.js): ucieczka z sandbox przez BaseHandler.getPrototypeOf (RCE)
Ucieczka z sandboxa w bibliotece vm2 dla Node.js (RCE)
vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'
vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)