vm2 Sandbox Breakout Vulnerability Allowing Remote Code Execution

A sandbox breakout vulnerability has been identified in vm2, an open-source virtual machine/sandbox for Node.js, affecting versions through 3.11.1. The issue arises in the method 'neutralizeArraySpeciesBatch', which can interact with objects from the host environment. This interaction exposes host objects, including the Function object, into the vm2 sandbox. Exploiting this vulnerability allows attackers to execute arbitrary commands on the host system, escaping the vm2 sandbox restrictions.

Impact

Exploitation of this vulnerability allows for remote code execution on the host system, bypassing the vm2 sandbox.

Reproduction

To reproduce this vulnerability, use vm2 version 3.11.1 or earlier. The vulnerability can be triggered by defining a setter on the Array prototype that manipulates the sandbox's context. This can be done by creating an array and using the 'neutralizeArraySpeciesBatch' method to expose host objects into the sandbox. Once the host Function object is accessible, it can be used to execute arbitrary commands on the host system, such as creating a file.

Remediation

Users can upgrade to vm2 version 3.11.2 or later to address this vulnerability.