A critical sandbox escape vulnerability in the vm2 library allows attackers to mutate host-realm objects and execute code outside the intended environment.

The library incorrectly exposes mutable proxies for host-realm intrinsic prototypes. This allows sandboxed JavaScript to modify critical objects such as Object.prototype, facilitating a sandbox escape.

With a CVSS score of 10.0, this vulnerability represents the highest level of risk. Exploitation allows an attacker to break out of the Node.js sandbox, leading to arbitrary code execution on the underlying host system, full server compromise, and potential lateral movement within the network.

Immediate Action: Update the vm2 library to version 3.11.0 or later immediately to address the proxy exposure issue.

Proactive Monitoring: Monitor for anomalous process behavior or unexpected file system modifications originating from Node.js applications utilizing the vm2 library.

Compensating Controls: Ensure that Node.js applications are running with the principle of least privilege, utilizing containerization or restricted service accounts to limit the blast radius of a potential escape.

Public Exploit Available: Unknown

Given the critical nature of this sandbox escape, users must upgrade to version 3.11.0 immediately. Organizations should conduct a thorough audit of all Node.js applications relying on vm2 for isolation to ensure they are updated and secure.