A critical sandbox escape vulnerability in vm2 (versions <= 3.11.3) allows unauthenticated attackers to achieve arbitrary code execution on the host machine.

This is a sandbox escape vulnerability where unauthenticated attackers can leverage host-side object prototype mutation. By combining specific Buffer function calls with Node.js error types, an attacker can obtain the host's TypeError constructor to break out of the sandbox environment.

The exploitation of this vulnerability results in a complete compromise of the host system, allowing for unauthorized code execution. Given the critical CVSS score of 10.0, this represents a severe risk to data confidentiality, integrity, and availability, potentially leading to full system takeover and lateral movement within the network.

Immediate Action: Upgrade vm2 to version 3.11.4 or higher immediately to apply the patch that prevents improper access to host-side constructors.

Proactive Monitoring: Monitor application logs for unusual sandbox behavior, including attempts to access sensitive Node.js internal objects or unexpected prototype modifications.

Compensating Controls: Implement strict environment egress filtering and run sandboxed processes with the least privilege necessary to limit the impact of a potential breakout.

Public Exploit Available: True

This vulnerability represents a critical risk to any infrastructure utilizing the vm2 library. Administrators must prioritize updating to version 3.11.4 immediately, as the availability of public exploits significantly lowers the barrier for attackers to compromise host systems.