vm2 Full Sandbox Escape Vulnerability in WebAssembly Exception Handling

A critical vulnerability allowing full sandbox escape and arbitrary code execution has been identified in vm2 version 3.10.4. This issue arises from the WebAssembly exception handling mechanism in Node.js v25.6.1, where attacker-controlled code can unsanitize host-realm errors, leading to unauthorized access to the host process object and execution of host commands without any cooperation from the host.

Impact

Exploitation of this vulnerability allows attackers to escape the vm2 sandbox, gain access to the host process object, and execute arbitrary commands on the host system. This leads to remote code execution with the same privileges as the user running the Node.js process.

Reproduction

The vulnerability can be reproduced by using vm2 version 3.10.4 on Node.js v25.6.1. Attacker-controlled code is executed within the VM.run() method, where it can manipulate WebAssembly exceptions to escape the sandbox and access the host process object. A proof-of-concept demonstrating this exploitation is available as a file attachment.

Remediation

Users are advised to upgrade to vm2 version 3.10.5, where this vulnerability has been patched.