vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0.
The vulnerability consists of the ability to call the BaseHandler.getPrototypeOf method in an unintended manner through sandbox mechanisms. An attacker can use it to obtain a reference to any JavaScript object prototype from outside the isolated environment. This leads to breaking the sandbox boundary and potential execution of arbitrary code in the context of the host Node.js process (code injection, CWE-94).
An attacker can completely break out of the sandbox isolation and execute arbitrary code in the context of the application hosting vm2, which in practice means complete takeover of the server — violation of confidentiality, data integrity, and system availability.
The vm2 library should be updated to version 3.11.0 or newer, where the vulnerability has been fixed. If immediate update is not possible, consider alternative mechanisms for isolating untrusted code.
vm2 library for Node.js in versions before 3.11.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HVm2 Project Vm2
APPVm2 Project< 3.11.0
Related vulnerabilities
vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)
vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)
Ucieczka z sandboxa w bibliotece vm2 dla Node.js (RCE)
vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'
Ucieczka z sandboxu vm2 poprzez getter na prototypie tablicy