With the vm2 library, developers run untrusted code in isolation on a Node.js server. The vm2 sandbox is widely used with millions of monthly downloads from the NPM repository.
Breakout into host system
Die „criticalThe vulnerability (CVE-2023-29017) is rated with the highest possible CVSS score of 10 out of 10. As a warning message states, when processing Hoste objects, it occurs in the context of the function
Error.prepareStackTrace to bugs, allowing attackers to break out of the sandbox. They could then run their own code on the host system, completely compromising the computer.
The developers state that the gap in the vm2-Version 3.9.15 to have closed. All previous releases are supposed to be vulnerable.