vm2 Sandbox Escape Vulnerability Allowing Arbitrary Code Execution

A critical vulnerability in vm2, an open-source virtual machine/sandbox for Node.js, allows for arbitrary code execution by escaping the sandbox. This issue affects vm2 versions through 3.10.0. The vulnerability arises because the sanitization of callbacks in 'Promise.prototype.then' and 'Promise.prototype.catch' can be bypassed. While the callback function of 'localPromise.prototype.then' is properly sanitized, 'globalPromise.prototype.then' is not. As a result, attackers can exploit this oversight to execute code outside the intended sandbox environment.

Impact

Exploitation of this vulnerability allows attackers to escape the vm2 sandbox and execute arbitrary code in the Node.js environment.

Reproduction

To reproduce this vulnerability, create a new VM instance and run a piece of code that returns a promise from an asynchronous function. The promise's 'catch' method can be used to intercept errors. By manipulating the error object, it's possible to access the 'Error' constructor and, subsequently, the 'Function' constructor. This can be exploited to execute arbitrary commands by injecting them into a function that is executed within the Node.js environment.

Remediation

Users can upgrade to vm2 version 3.10.2 or later, where this vulnerability has been patched.