A critical sandbox escape vulnerability in vm2 allows attackers to escape the sandbox and execute code on the host system.

This is a sandbox escape caused by an improper implementation of the property setting mechanism. Specifically, the BaseHandler.set method fails to correctly handle the receiver parameter, allowing sandboxed code to manipulate host-side objects and execute arbitrary code.

The vulnerability carries a CVSS score of 8.6, indicating a high risk of host-level compromise. Successful exploitation grants an attacker the ability to break out of the sandbox confinement, leading to potential unauthorized access, data exfiltration, or complete host system takeover.

Immediate Action: Upgrade to vm2 version 3.11.4 or higher to apply the necessary security fixes for the bridge handler.

Proactive Monitoring: Review application logs for unusual sandbox behavior or attempts to perform unauthorized property modifications within the NodeVM environment.

Compensating Controls: Deploy the application within an isolated environment with minimal privileges to reduce the impact of a potential sandbox escape.

Public Exploit Available: true

The vulnerability represents a direct threat to the security boundaries provided by vm2. Administrators must prioritize updating to version 3.11.4 to mitigate the risk of host-level compromise and ensure the continued efficacy of their sandboxing strategy.