vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.
Code executed within the isolated vm2 environment through the VM.run() function is able to gain access to the host process object. This enables the execution of arbitrary system commands directly on the host machine, completely bypassing sandbox isolation mechanisms. The vulnerability requires no privileges or user interaction, and the attack vector is network-based.
An attacker gains full control over the host process, enabling arbitrary code execution (RCE), data theft, system modification, or further lateral movement in the network.
The vm2 library must be updated to version 3.10.5, in which the vulnerability has been patched. Details are available in the vendor references: https://github.com/patriksimek/vm2/releases/tag/v3.10.5
vm2 in version 3.10.4 (Vm2 Project Vm2)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HVm2 Project Vm2
APPVm2 Project< 3.10.5
Related vulnerabilities
vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)
vm2 (Node.js): ucieczka z sandbox przez BaseHandler.getPrototypeOf (RCE)
Ucieczka z sandboxa w bibliotece vm2 dla Node.js (RCE)
vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'
vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)