A critical sandbox escape vulnerability in vm2 allows attackers to break out of the virtual machine and execute arbitrary code on the host system.

The flaw occurs when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI, allowing a Promise to bypass security hardening and break the sandbox boundary.

By escaping the sandbox, an attacker can transition from executing restricted code to executing arbitrary code on the underlying host process. This results in a full system compromise, granting the attacker the same permissions as the Node.js process. With a CVSS score of 9.8, this is a highly dangerous flaw for any application relying on vm2 for isolation.

Immediate Action: Update the vm2 dependency in all projects to version 3.11.4 or later.

Proactive Monitoring: Monitor for unexpected child processes or unusual file system/network activity originating from the Node.js process running the vm2 sandbox.

Compensating Controls: Ensure the Node.js process is running with the principle of least privilege, minimizing the impact of a potential sandbox escape.

Public Exploit Available: True

Sandboxing libraries are security-critical components. Because this vulnerability allows for full host compromise, it is imperative that all developers using vm2 update to the latest patched version immediately to maintain the integrity of their application environment.