A critical security bypass in vm2 (versions up to 3.11.3) allows unauthenticated attackers to escape the sandbox and execute arbitrary code on the host.

The vulnerability stems from a flawed strict equality check in the nodevm.js configuration. By omitting the 'require' option entirely, an attacker can bypass the intended security guard, forcing the application into an insecure configuration that enables sandbox escape.

This flaw effectively neutralizes the security controls of the vm2 sandbox, allowing attackers to escape into the host environment. With a CVSS score of 10.0, successful exploitation leads to full remote code execution, granting attackers the ability to steal sensitive data, deploy malware, or disrupt critical business operations.

Immediate Action: Update the vm2 library to version 3.11.4 to resolve the logic error in the security configuration check.

Proactive Monitoring: Review application configurations to ensure that security options are explicitly defined rather than relying on default values that may be subject to bypass.

Compensating Controls: Utilize a Web Application Firewall (WAF) or Runtime Application Self-Protection (RASP) tool to detect and block malicious payloads attempting to instantiate sandboxes with invalid configurations.

Public Exploit Available: True

The vulnerability is a direct failure of the security logic in the vm2 library. Given the critical nature of the impact and the availability of exploitation methods, organizations should treat this update as an emergency patch to prevent potential system compromise.