vm2 Code Transformer Fast-Path Bypass Vulnerability Allowing Access to Internal State Variable

A vulnerability in vm2, an open-source sandbox for Node.js, prior to version 3.11.0, allows sandboxed code to bypass security controls and access an internal state variable that should be restricted. This is due to a performance optimization in the code transformer that skips abstract syntax tree (AST) analysis unless the code includes certain keywords. Exploiting this vulnerability can expose internal security functions, creating a potential risk for future code changes.

Impact

This vulnerability represents a complete bypass of security controls, allowing access to internal functions that could be exploited if future updates introduce sensitive methods. This creates a latent risk for applications using vm2.

Reproduction

The vulnerability can be reproduced by running code in a vm2 virtual machine that accesses the internal variable 'VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL'. This can be done by sending a POST request to an API endpoint that executes the code, or by using a Node.js script that runs the code within a vm2 VM. The access to the internal state is successfully bypassed when the code does not include 'catch', 'import', or 'async' keywords.

Remediation

Users are advised to update to vm2 version 3.11.0 or later, where this vulnerability has been fixed.