vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.
The vulnerability classified as CWE-668 (Exposure of Resource to Wrong Sphere) indicates improper access management to resources within the vm2 isolation mechanism. Code running inside the sandbox can access resources or context that should be unavailable to it. The detailed technical mechanism has not been disclosed in the description, however, a critical CVSS score of 9.8 with a network vector requiring no privileges and user interaction indicates a serious isolation flaw.
An attacker can cause a sandbox escape, which as a consequence may result in unauthorized access to sensitive data, violation of system integrity, and potentially complete takeover of the host.
The vm2 library should be updated to version 3.11.2 or newer, in which the vulnerability has been fixed. It is recommended to check all Node.js projects using vm2 as a dependency and apply the update immediately.
vm2 library for Node.js in versions prior to 3.11.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HVm2 Project Vm2
APPVm2 Project< 3.11.2
Related vulnerabilities
vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)
vm2 (Node.js): ucieczka z sandbox przez BaseHandler.getPrototypeOf (RCE)
Ucieczka z sandboxa w bibliotece vm2 dla Node.js (RCE)
vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'
vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)