vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.
The vulnerability stems from improper implementation of the inspect mechanism in vm2, which does not provide adequate isolation (CWE-94: code injection, CWE-693: insufficient protection of mechanism). An attacker can craft code executed inside the vm2 sandbox that escapes its boundaries through the inspect function. After breaking out of the sandbox, arbitrary commands can be executed directly on the host operating system.
The attacker gains full control over the host system — can read, modify and delete files, execute arbitrary system commands, and potentially take control of the entire infrastructure. The vulnerability leads to complete breach of system confidentiality, integrity, and availability.
The vm2 library should be updated to version 3.11.0, where the vulnerability has been fixed. The update is available in the project's GitHub repository and in the npm registry.
Vm2 Project vm2 in all versions preceding 3.11.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HVm2 Project Vm2
APPVm2 Project< 3.11.0
Related vulnerabilities
vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)
vm2 (Node.js): ucieczka z sandbox przez BaseHandler.getPrototypeOf (RCE)
Ucieczka z sandboxa w bibliotece vm2 dla Node.js (RCE)
vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'
vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)