vm2 Sandbox Breakout Vulnerability Allowing Remote Code Execution

A sandbox breakout vulnerability has been identified in vm2, an open-source virtual machine/sandbox for Node.js. This vulnerability, present in versions through 3.10.4, allows attackers to escape the vm2 sandbox and execute arbitrary commands on the host system. The issue arises from the `__lookupGetter__` method, which can be exploited to access host object getters and retrieve the host `Function` constructor, enabling code execution outside the sandbox.

Impact

Exploitation of this vulnerability allows for remote code execution on the host system.

Reproduction

The vulnerability can be reproduced by creating a vm2 instance and using the `__lookupGetter__` method to access the host `Object` constructor. This can be done by applying the method to a `Buffer` object with `__proto__` as an argument, which triggers a prototype lookup from the host context. Once the `Function.prototype` is accessed, the `constructor` property can be used to execute code in the host environment.

Remediation

Users should upgrade to vm2 version 3.11.0 or later, where this vulnerability has been patched.