A critical sandbox escape in the vm2 library allows attackers to access host functions and execute arbitrary commands on the host system.

The neutralizeArraySpeciesBatch method improperly handles objects across the sandbox boundary. Attackers can leverage this to retrieve host objects, including the host Function object, and escape the sandbox.

The CVSS score of 9.8 underscores the severe risk of host system compromise. Successful exploitation grants the attacker the ability to escape the sandbox and execute arbitrary commands on the underlying host, leading to full system takeover.

Immediate Action: Update the vm2 library to version 3.11.2 or later immediately.

Proactive Monitoring: Monitor for unexpected system-level processes or unusual file system activity originating from the Node.js application.

Compensating Controls: Enforce strict process-level security, such as using seccomp profiles to block unauthorized system calls if a sandbox escape occurs.

Public Exploit Available: Unknown

Given the persistent issues with vm2 sandbox escapes, users should ensure they are on the latest version (3.11.2+) and consider if the use of a sandbox is sufficient for their security requirements or if additional defense-in-depth measures are needed.