vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.
The vulnerability (CWE-94 — improper control of code generation) consists of the ability to obtain a reference to a host object from code executed inside the sandbox. An example exploitation method is calling the `getOwnPropertySymbols` method on a host object to retrieve the `Symbol(nodejs.util.inspect.custom)` symbol, which enables further manipulation of the Node.js environment outside the sandbox. After gaining access to the host object, an attacker can execute arbitrary code in the context of the host process.
An attacker can escape from an isolated sandbox and execute arbitrary code on the host server (RCE), which in practice means complete compromise of the system running the application that uses vm2.
The vm2 library must be urgently updated to version 3.11.0 or later, where the vulnerability has been fixed. Details are available in the vendor's references on GitHub Security Advisories.
vm2 library for Node.js in versions prior to 3.11.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HVm2 Project Vm2
APPVm2 Project< 3.11.0
Related vulnerabilities
vm2 (Node.js): ucieczka z sandbox przez BaseHandler.getPrototypeOf (RCE)
vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)
vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'
vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)
Ucieczka z sandboxu vm2 poprzez getter na prototypie tablicy