vm2 Sandbox Escape Vulnerability Leading to Node.js Process Crash

A sandbox escape vulnerability has been identified in vm2 versions through 3.10.5. This vulnerability allows sandboxed code to crash the host Node.js process by using a Promise constructor that triggers an unhandled rejection, which then propagates to the host and causes a process crash. The issue arises because the Promise executor can create an error with a Symbol name, access its stack, and generate a host-realm TypeError. Since this error is unhandled, it leads to a crash. The vulnerability is present in all applications using vm2, regardless of the 'allowAsync' setting, and creates a continuous denial-of-service loop by repeatedly crashing the process after it restarts.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the host Node.js process, disrupting service for all users. In Node.js versions 15 and later, the process termination occurs by default, without any special configuration. The vulnerability also allows for amplification, where a single HTTP request of approximately 150 bytes can terminate the entire host process, affecting all users.

Reproduction

The vulnerability can be reproduced by creating a Promise in sandboxed code that sets the Error name to a Symbol and accesses the stack. This action will trigger a TypeError in the host realm, creating an unhandled rejection that crashes the Node.js process. This can be done using the vm2 library by setting 'allowAsync' to false, which blocks asynchronous syntax but not the Promise constructor itself, ensuring the rejection remains unhandled.

Remediation

Users are advised to update vm2 to version 3.11.0, where this vulnerability has been fixed.