vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.
The vulnerability results from improper handling of the SuppressedError mechanism, which allows an attacker to bypass sandbox protections (CWE-693 — Protection Mechanism Failure). By passing specially crafted code to vm2, an attacker can escape the isolated execution environment and gain access to the host Node.js context. This mechanism is also classified as CWE-94 — Code Injection, as the result is the ability to inject and execute arbitrary code at the level of the underlying system.
An attacker can escape the vm2 sandbox and execute arbitrary code in the context of the host Node.js process, which can potentially lead to complete server takeover, data disclosure, or service disruption.
Update the vm2 library to version 3.11.0 or later, in which the vulnerability has been fixed. Details available in the vendor references: https://github.com/patriksimek/vm2/releases/tag/v3.11.0
Vm2 Project vm2 in all versions before 3.11.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HVm2 Project Vm2
APPVm2 Project< 3.11.0
Related vulnerabilities
vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)
vm2 (Node.js): ucieczka z sandbox przez BaseHandler.getPrototypeOf (RCE)
Ucieczka z sandboxa w bibliotece vm2 dla Node.js (RCE)
vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'
vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)