A critical sandbox escape vulnerability in the vm2 library allows malicious code to break out of the container and compromise the host environment.

This is a sandbox escape vulnerability involving the manipulation of host-side behavior. By exploiting an incomplete override of the global Symbol.for function and a flaw in the proxy-based bridge's write-trap handlers, an attacker can execute code outside the intended sandbox environment.

Successful exploitation allows an attacker to achieve host-level code execution, effectively bypassing the security boundary of the Node.js sandbox. Given the CVSS score of 8.7, this represents a significant risk to data integrity and system confidentiality. Compromise of the host environment can lead to unauthorized access to sensitive application data and the potential for full system takeover.

Immediate Action: Upgrade the vm2 library to version 3.11.4 or later immediately.

Proactive Monitoring: Monitor server logs for unexpected process execution or attempts to access host-level system resources originating from sandboxed processes.

Compensating Controls: Implement strict resource constraints and process isolation (e.g., cgroups or containerization) to limit the impact if the sandbox is breached.

Public Exploit Available: true

The severity of this sandbox escape necessitates an immediate update to version 3.11.4. Security teams must prioritize this patch to prevent unauthorized host-level access, as the existence of public exploit code significantly lowers the barrier to entry for potential attackers.