A critical sandbox breakout in vm2 (versions <= 3.11.3) allows unauthenticated attackers to achieve arbitrary command execution on the host system.

This is a sandbox breakout vulnerability resulting from improper handling of the localPromise constructor. Attackers can supply a custom reject method that triggers a breakout, allowing them to escape the sandbox and execute commands with the privileges of the host process.

The capability to escape the sandbox and execute arbitrary commands on the host machine is a catastrophic security failure. Given the CVSS score of 10.0, this vulnerability provides a direct path for attackers to gain full control over the host system, leading to total data loss, system destruction, or deep-seated persistent access.

Immediate Action: Update the vm2 library to version 3.11.4 immediately to patch the promise handling logic.

Proactive Monitoring: Monitor host systems for unexpected shell command executions or child processes being spawned by the Node.js application process.

Compensating Controls: Use container isolation technologies (like Docker or Kubernetes security contexts) to restrict the potential damage if the sandbox is breached.

Public Exploit Available: True

The risk posed by this sandbox escape is extreme. Security teams should treat this as an urgent priority; the availability of functional exploit code necessitates immediate patching to mitigate the risk of host-level command execution.