vm2 Sandbox Breakout Vulnerability Allowing Remote Code Execution

A sandbox breakout vulnerability allowing remote code execution has been identified in vm2 versions through 3.11.1. This issue arises in the 'handleException' method, where exceptions with a null prototype are incorrectly assumed to be proxied from the other side. Exploiting this flaw allows an attacker to access both the proxied and unproxied versions of a sandbox object, ultimately leading to execution of arbitrary commands on the host system.

Impact

Exploitation of this vulnerability allows for remote code execution on the host machine, with the executed code running in the context of the vm2 sandbox.

Reproduction

To reproduce this vulnerability, create a vm2 instance and run a script that throws an object with a null prototype. When the exception is caught, the prototype can be manipulated to access the host's Function object. This can be used to execute arbitrary commands, such as using the child_process module to run system commands.

Remediation

Users should upgrade to vm2 version 3.11.2 or later.