vm2 Remote Code Execution Vulnerability via Insufficient Sandbox Protection

A remote code execution vulnerability has been identified in vm2, an open-source virtual machine/sandbox for Node.js. This issue affects versions of vm2 through 3.10.3. The vulnerability arises because the fix for a previous vulnerability (CVE-2023-37466) was inadequate and could be bypassed. Attackers can exploit this flaw to write code that escapes the vm2 sandbox and executes arbitrary commands on the host system.

Impact

Exploitation of this vulnerability allows for remote code execution on the host system, under the assumption that the attacker can execute arbitrary code within a vm2 sandbox.

Reproduction

The vulnerability can be reproduced by creating a vm2 instance and running a script that exploits the insufficient fix for the previous vulnerability. This can be done by overwriting the 'includes' method of an array to bypass the sandbox's protections, and then using a crafted promise to access the host's process object and execute commands.

Remediation

Users are advised to update to vm2 version 3.10.5, where this vulnerability has been patched.