A critical sandbox escape vulnerability has been identified in vm2, a widely used Node.js library. This flaw allows an attacker to bypass security restrictions and execute arbitrary code on the underlying server, potentially leading to a full system compromise. Organizations using applications that rely on vulnerable versions of vm2 are at high risk of data theft, service disruption, and further network intrusion.

The vulnerability is a sandbox escape within the vm2 Node.js library. The library fails to properly sanitize promise callbacks returned by async functions. While the sandbox correctly handles promises created within its own context (localPromise), it does not apply the same security controls to native promises (globalPromise) that are returned by asynchronous functions. An attacker can craft malicious code within the sandbox that uses an async function to return a native promise. The callback function attached to this promise (via .then() or .catch()) will then execute outside the sandbox's security context, granting the attacker arbitrary code execution on the host machine.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation allows an attacker to completely bypass the intended security isolation of the sandbox environment. This could lead to a full compromise of the application server, enabling the attacker to steal sensitive data, install malware or ransomware, disrupt critical services, or use the compromised system as a pivot point to attack other resources on the internal network. The potential for complete system takeover poses a direct and severe risk to business operations, data confidentiality, and system integrity.

Immediate Action: Identify all applications and systems utilizing the vm2 Node.js library and update it to the patched version 3.10.2 or later. After patching, monitor affected systems for any signs of post-exploitation activity and review historical access and application logs for indicators of compromise.

Proactive Monitoring: Implement enhanced monitoring on servers running applications with the vm2 library. Look for anomalous behavior from the Node.js process, such as unexpected child processes (e.g., /bin/sh, powershell.exe), outbound network connections to unfamiliar IP addresses, or modifications to sensitive system files. Application-level logging should be reviewed for suspicious inputs that may be attempting to trigger the exploit.

Compensating Controls: If immediate patching is not feasible, apply compensating controls to reduce risk. Run the application in a minimal, hardened container (e.g., Docker) with restricted user permissions and no unnecessary tools. Implement strict network egress filtering to block potential command-and-control (C2) communications. A Web Application Firewall (WAF) may also be configured to block patterns associated with known exploit attempts.

Public Exploit Available: False

Immediate and decisive action is required to mitigate this critical vulnerability. All development and security teams must prioritize the identification of any product using the vm2 library and immediately update it to a patched version (3.10.2 or newer). Although this vulnerability is not yet on the CISA KEV list, its critical CVSS score of 9.8 signifies the highest level of risk. Due to the potential for complete system compromise, remediation of this flaw should be treated as an emergency security priority.