A critical vulnerability in vm2 (versions up to 3.11.3) permits unauthenticated attackers to escape the sandbox by exploiting missing restrictions on sensitive Node.js builtins.

The NodeVM sandbox fails to sufficiently restrict access to sensitive built-in modules, specifically 'process' and 'inspector/promises'. These modules provide unauthenticated attackers with primitives necessary to interact with the host-side environment, effectively bypassing all sandbox isolation.

The ability to access host-side execution primitives from within a sandbox renders the isolation provided by vm2 ineffective. With a CVSS score of 10.0, this vulnerability allows for full system compromise, posing a major risk of unauthorized data access, privilege escalation, and persistent threats to the underlying host infrastructure.

Immediate Action: Upgrade vm2 to version 3.11.4 to incorporate the updated denylist and restrict access to dangerous Node.js builtins.

Proactive Monitoring: Audit application code for any usage of dangerous modules and monitor system logs for signs of anomalous process execution originating from sandboxed environments.

Compensating Controls: If upgrading is delayed, use system-level policies (e.g., AppArmor or SELinux) to restrict the capabilities of the process running the vm2 sandbox.

Public Exploit Available: False

While no public exploits are currently identified, the severity of a sandbox breakout via built-in modules is extreme. Organizations must prioritize the update to version 3.11.4 to ensure that sandbox boundaries are properly enforced against known dangerous primitives.