A critical sandbox escape vulnerability in vm2 allows attackers to gain access to the host process object and execute arbitrary commands on the system.

This is a full sandbox escape that allows code running within VM.run() to obtain the host process object. With this access, an attacker can execute arbitrary commands on the host system without any cooperation from the host itself.

The CVSS score of 9.8 indicates that this is a critical vulnerability. An attacker can achieve complete system compromise, bypassing all intended restrictions of the vm2 sandbox, potentially leading to unauthorized data access and system manipulation.

Immediate Action: Upgrade vm2 to version 3.10.5 or later to resolve the sandbox escape.

Proactive Monitoring: Monitor for suspicious process activity or unauthorized modifications to the host system by the Node.js application.

Compensating Controls: Utilize kernel-level security features to limit the process's capabilities and prevent the exploitation of process objects.

Public Exploit Available: No

This vulnerability is exceptionally dangerous as it grants direct access to the host process. Immediate patching is required. Organizations should treat this as a high-priority security update and review their application's dependency tree to ensure the patch is correctly applied.