Impact
The vm2 sandbox for Node.js has a security bypass that allows an attacker to achieve remote code execution. A previous fix (GHSA‑8hg8‑63c5‑gwmx) introduced a guard that would block the combination of enabling nested sandboxes (`nesting: true`) and disabling the ability to require modules (`require: false`). The guard used strict equality, so omitting the `require` option caused its value to be undefined instead of false, and the check failed. The subsequent default assignment reinstated the prohibited configuration, permitting the exploit to proceed. This flaw originates from a coding oversight that was not present before the patch. Affected Systems The issue affects the vm2 package maintained by patriksimek. All released versions prior to v3.11.4 are vulnerable because they use the flawed guard. Any application that imports or uses vm2 with `nesting: true` but does not explicitly set `require: false` can trigger the bypass and obtain unrestricted code execution within the host process. Risk and Exploitability The CVSS score of 10 indicates a critical vulnerability. The EPSS score is below 1 %, suggesting a low probability of widespread exploitation, but the vulnerability remains severe. It is not yet included in the CISA KEV catalog. Exploitation requires constructing a vm2 instance with `nesting: true` and no explicit `require` setting, which may be feasible in environments that expose the vm2 configuration to untrusted or external code.
Affected Systems
The vm2 package developed by patriksimek, versions earlier than 3.11.4.
Risk and Exploitability
The high CVSS score demonstrates the configuration can lead to full control over the host. The low EPSS score indicates the likelihood of active exploitation is small at present, but the flaw could be employed in targeted attacks or supply‑chain compromise. The vulnerability is not listed in the CISA KEV catalog yet, but its impact and existence warrant immediate action, especially in systems that rely on vm2 to isolate untrusted JavaScript.
OpenCVE Enrichment
Github GHSA