A critical sandbox breakout vulnerability in the vm2 library's inspect function allows attackers to escape the sandbox and execute arbitrary commands on the host.

The inspect function in vm2 allows an attacker to manipulate objects in a way that escapes the sandbox environment. This facilitates arbitrary code execution on the host system running the Node.js environment.

With a CVSS score of 9.8, this vulnerability poses a severe threat. Successful exploitation grants the attacker the same permissions as the Node.js process, which can lead to data exfiltration, system destruction, or unauthorized lateral movement within the network.

Immediate Action: Update the vm2 dependency to version 3.11.0 or later to mitigate this sandbox breakout vector.

Proactive Monitoring: Monitor for anomalous usage of the inspect function or unexpected object manipulation patterns within the application.

Compensating Controls: Implement robust ingress and egress filtering on the host system to prevent unauthorized command-and-control communication in the event of an escape.

Public Exploit Available: No

The frequency of sandbox escape vulnerabilities in vm2 suggests that it is not a secure solution for running untrusted code. Organizations are strongly advised to update the library and investigate safer alternatives for code isolation if the requirement for running untrusted code persists.