A critical sandbox escape vulnerability in the vm2 library allows attackers to access arbitrary prototypes and gain control over the host environment.

The sandbox fails to restrict access to BaseHandler.getPrototypeOf. By reaching this handler, an attacker can retrieve arbitrary prototypes, enabling a sandbox escape and subsequent host-level execution.

The CVSS score of 10.0 confirms this as a critical risk. Successful exploitation grants the attacker full control over the host system, potentially leading to unauthorized data access, service disruption, and compromise of the entire Node.js application environment.

Immediate Action: Update the vm2 library to version 3.11.0 or later immediately to patch the prototype access handler.

Proactive Monitoring: Monitor for unusual JavaScript execution patterns or attempts to reflect on object prototypes within the application.

Compensating Controls: Implement strict resource limits and process isolation for any Node.js application that processes untrusted code.

Public Exploit Available: Unknown

This vulnerability is a severe threat to any system relying on vm2 for isolation. Upgrading to the latest version is the only effective mitigation and must be performed immediately.