A critical sandbox escape vulnerability in the vm2 library allows attackers to execute arbitrary commands by manipulating async generators.

The vulnerability exists in how the sandbox handles exceptions within async generators. By exploiting the yield* expression and the return function, an unauthenticated attacker can catch host exceptions and execute arbitrary code outside the intended sandbox boundary.

The CVSS score of 9.8 reflects the extreme severity of this flaw. Successful exploitation grants an attacker full control over the host system, which can result in complete data exfiltration, unauthorized modification of system resources, and total loss of confidentiality and availability for the affected application.

Immediate Action: Update the vm2 library to version 3.11.3 or later immediately.

Proactive Monitoring: Review application logs for abnormal error patterns related to async generator execution or unexpected system-level command calls.

Compensating Controls: Deploy Web Application Firewalls (WAF) or Runtime Application Self-Protection (RASP) tools capable of detecting anomalous script execution patterns in Node.js environments.

Public Exploit Available: Unknown

This vulnerability provides a direct pathway for attackers to bypass security boundaries. Immediate patching is mandatory to secure the host environment, and developers should verify that no secondary mechanisms exist that could allow similar manipulation of the sandbox.