vm2 Buffer Allocation Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in vm2, a sandboxing library for Node.js, affecting versions prior to 3.11.0. The issue arises because sandboxed code can invoke Buffer.alloc() with any size, allocating memory directly on the host heap. This allocation occurs through a synchronous C++ native call, which vm2's timeout option cannot interrupt. As a result, a single request can deplete host memory, causing the process to crash with a fatal error indicating that the heap limit has been reached.

Impact

Exploiting this vulnerability causes the Node.js process to crash due to out-of-memory conditions, particularly in memory-constrained environments such as Docker, Kubernetes pods, or AWS Lambda, where the process termination is immediate. In less restricted environments, the memory allocation is eventually reclaimed, leading to only temporary performance issues.

Reproduction

The vulnerability can be reproduced by sending a request to a server running vm2 with a payload that includes a call to Buffer.alloc() with a large size. This can be done using a Node.js script that creates a vm2 instance with a timeout, but the timeout does not affect the Buffer allocation. Alternatively, the vulnerability can be demonstrated via an HTTP request that includes the Buffer.alloc() call in the payload, which will result in the process crashing due to out-of-memory errors.

Remediation

Users are advised to update vm2 to version 3.11.0 or later, where this vulnerability has been fixed.