vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.
The vulnerability results from an insufficient fix introduced in response to CVE-2023-37466 — the protection mechanism can be bypassed through properly crafted JavaScript code. An attacker who can execute code in the context of the vm2 sandbox can construct a payload that enables escape from the isolated environment (CWE-94: code injection, CWE-693: insufficient protection mechanism). After escaping the sandbox, malicious code gains access to the host operating system and can execute arbitrary commands.
An attacker can completely break the sandbox isolation and execute arbitrary code on the host server, potentially leading to full system compromise, data theft, or further lateral movement in the network.
Update the vm2 library to version 3.10.5 or later, where the vulnerability has been fixed. Details are available in the vendor references: https://github.com/patriksimek/vm2/releases/tag/v3.10.5
Vm2 Project vm2 in all versions prior to 3.10.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HVm2 Project Vm2
APPVm2 Project< 3.10.5
Related vulnerabilities
vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)
vm2 (Node.js): ucieczka z sandbox przez BaseHandler.getPrototypeOf (RCE)
Ucieczka z sandboxa w bibliotece vm2 dla Node.js (RCE)
vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'
vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)