A critical sandbox breakout vulnerability in vm2 allows attackers to leverage SuppressedError to execute arbitrary code on the host.

The SuppressedError object in the vm2 environment can be manipulated to facilitate a sandbox escape. By exploiting this, an attacker can move outside the restricted environment and execute arbitrary code on the host.

A CVSS score of 9.8 reflects the high severity of this sandbox escape. Exploitation could allow an attacker to gain full control over the host system, leading to complete data compromise and potential disruption of critical business processes.

Immediate Action: Update the vm2 dependency to version 3.11.0 or later to address this breakout vulnerability.

Proactive Monitoring: Monitor application logs for unexpected error patterns or unusual code execution sequences.

Compensating Controls: Run the Node.js application with minimal system privileges and use containerization to restrict access to the underlying host resources.

Public Exploit Available: No

The continued discovery of sandbox escapes in vm2 underscores the difficulty of maintaining a secure JavaScript sandbox. Updating the library is mandatory, but organizations should also assess the necessity of running untrusted code and consider more secure architectural alternatives.