vm2 Sandbox Breakout Vulnerability Allowing Remote Code Execution

A sandbox breakout vulnerability has been identified in vm2, an open-source virtual machine/sandbox for Node.js, affecting versions through 3.11.2. This vulnerability allows attackers to escape the vm2 sandbox and execute arbitrary commands on the host system. The issue arises from the ability to catch host exceptions using the yield* expression within an async generator. When the generator is closed with the return function, the awaited value can include exceptions thrown, which are then passed to the yield* iterator as the next value. This behavior can be exploited to execute unauthorized commands on the host.

Impact

Exploitation of this vulnerability allows for remote code execution on the host system, with the executed code running in the context of the vm2 sandbox, but with the potential to escape the sandbox and affect the host.

Reproduction

To reproduce this vulnerability, create a vm2 instance and run a script that utilizes an async generator. The script should include a function that throws an error, such as a RangeError, which can be caught and processed in a way that escapes the sandbox. The provided proof-of-concept code demonstrates this exploitation by throwing a RangeError, catching it, and then using the error to execute a command on the host system.

Remediation

Users can upgrade to vm2 version 3.11.3 or later to address this vulnerability.