A high-severity flaw in the vm2 library's NodeVM component permits unauthorized network access and potential Server-Side Request Forgery (SSRF) attacks.

The vulnerability resides in how the NodeVM component handles the '*' (wildcard) option for built-in modules. This flaw allows sandboxed code to bypass configured network security exclusions, facilitating SSRF-style attacks against the host or internal network.

With a CVSS score of 8.6, this vulnerability poses a severe threat to internal network security. An attacker capable of executing code within the sandbox could leverage this flaw to probe internal services, bypass firewall restrictions, or interact with sensitive internal APIs that are otherwise unreachable from the public internet.

Immediate Action: Update to vm2 version 3.11.4 or later to address the insecure handling of the wildcard module option.

Proactive Monitoring: Inspect outbound network traffic from sandboxed environments for anomalous requests directed toward internal network segments.

Compensating Controls: Enforce egress filtering at the network level to restrict the reach of sandboxed processes, even if the sandbox configuration is bypassed.

Public Exploit Available: true

Organizations relying on vm2 for process isolation must update to 3.11.4 immediately. Given the potential for SSRF attacks, this should be treated with high urgency to maintain the integrity of the internal network architecture.