vm2 Sandbox Escape Vulnerability Leading to Remote Code Execution

A sandbox escape vulnerability allowing remote code execution has been identified in vm2 versions through 3.10.5. This issue arises from the ability to access the host Object and use it to escape the sandbox. One exploitation method involves using the host Object's getOwnPropertySymbols method to retrieve a specific symbol that can be leveraged for malicious purposes.

Impact

Exploitation of this vulnerability allows for sandbox escape, with subsequent remote code execution on the host system.

Reproduction

The vulnerability can be reproduced by creating a script that accesses the host Object through a crafted payload. This payload can be designed to exploit the sandbox environment by, for example, using the host Object's getOwnPropertySymbols method to obtain a symbol that references a sensitive function, such as process.getBuiltinModule('child_process').execSync. Once this function is accessed, it can be used to execute arbitrary commands on the host system.

Remediation

Users are advised to update to vm2 version 3.11.0 or later, where this vulnerability has been patched.