vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__"), Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__"), and Node.js's ERR_INVALID_ARG_TYPE Error, the host's TypeError constructor can be obtained, which allows the escape from the sandbox. This allows attackers to run arbitrary code. This issue has been patched in version 3.11.4.
An attacker can combine calls to Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__") and Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__") in conjunction with ERR_INVALID_ARG_TYPE error handling generated by Node.js. This makes it possible to gain access to the host TypeError constructor, which is located outside the sandbox boundary. Taking over this object breaks the vm2 environment isolation, enabling code execution outside the controlled space (CWE-913: insufficient control of resource management for dynamically managed code).
An attacker gains the ability to execute arbitrary code on the host server (RCE), bypassing sandbox isolation mechanisms — which may lead to complete system takeover, data leakage, and breach of application integrity and availability.
The vm2 library must be immediately updated to version 3.11.4 or newer, where the issue has been fixed. The patch is available in the project's GitHub repository (commit 27c525f4615e2b983f122e2bed327d810126f5c8) and in the official release v3.11.4.
The vm2 library in versions prior to 3.11.4 (affects all Node.js applications using vm2 as a sandboxing mechanism).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H