A critical sandbox breakout vulnerability in vm2 allows attackers to bypass previous security patches and execute arbitrary code on the host system.

This issue is a bypass of the fix for CVE-2023-37466. It allows an attacker to craft code that circumvents existing sandbox protections, enabling the execution of arbitrary commands on the host OS.

The CVSS score of 9.8 confirms the severity of this sandbox escape. By exploiting this, an attacker can move from a contained environment to the host system, leading to complete system compromise, data theft, or the installation of persistent malware.

Immediate Action: Update the vm2 dependency to version 3.10.5 or later to apply the necessary security fixes.

Proactive Monitoring: Monitor for unexpected shell commands or suspicious network connections initiated by the Node.js process.

Compensating Controls: Use strict system-level controls, such as SELinux or AppArmor, to restrict what the Node.js process can execute on the host.

Public Exploit Available: No

This vulnerability demonstrates the persistence of security flaws in complex sandbox libraries. Developers must prioritize updating dependencies and should evaluate if their application architecture can be modified to avoid executing untrusted code within a Node.js-based sandbox.