A critical sandbox escape vulnerability in the vm2 library allows attackers to access host objects and bypass security restrictions.

The sandbox fails to properly restrict access to the host Object. Attackers can use HostObject.getOwnPropertySymbols to obtain sensitive references, enabling a full escape from the sandbox.

A CVSS score of 10.0 signifies an extremely high risk of compromise. Successful exploitation grants the attacker the ability to interact with the host environment, leading to full system control, sensitive data exposure, and potential compromise of the underlying infrastructure.

Immediate Action: Update the vm2 library to version 3.11.0 or later immediately.

Proactive Monitoring: Monitor system logs for unusual Node.js activity that deviates from standard application behavior, specifically looking for attempts to access non-sandboxed modules or system functions.

Compensating Controls: Employ robust system-level isolation, such as running Node.js processes within hardened containers or gVisor, to minimize the impact if the sandbox is breached.

Public Exploit Available: Unknown

This vulnerability represents a severe security failure in the isolation mechanism. All systems utilizing versions of vm2 prior to 3.11.0 must be patched immediately to prevent complete host system compromise.