Popular Node.js sandboxing library vm2 has just announced a critical vulnerability in their library which allows attackers to bypass their promise sanitization and execute arbitrary code, escaping the sandbox. This is a critical vulnerability with a 9.8 CVSS score, any application leveraging vm2 to run untrusted node.js code needs to upgrade immediately to the latest version.
This is not the first time vm2 has been caught up in a critical CVE, and back in July another batch of vulnerabilities were discovered. Back then the readme was updated to call out the discontinuation of the library, but this has not stopped the popularity of the library as there are many situations where vm2 may be appropriate.
While many of these use cases will only be internal only and never be used to run untrusted code. As this can be exploited with a relatively simple exploit that is already publicly available and many internal-only tools can eventually run untrusted input, we are recommending that anyone using vm2 should update immediately to version 3.10.2.
If you are a semgrep customer you can search for the package in your dependencies using the package search tool and a rule is now available for this vulnerability and can be found by starting a full scan from the Projects tab (Managed Scan users), in your CI, or locally.
How to tell if you are affected
vm2 is a library that helps sandbox untrusted javascript code, using node’s internal proxying tools. While many uses of vm2 are rarely exposed publicly and instead are used for internal tools, depending on the exact architecture sometimes it is possible to access these tools from publicly available applications and tools.
Therefore anyone who uses 3.10.1 or earlier should consider themselves affected. To respond and resolve this vulnerability simply update to 3.10.2. If you are a semgrep customer you can use this URL to directly check in Semgrep if you are affected. As this is a remote code execution vulnerability, you should be on the lookout for any post-exploitation activity.
If you are using vm2 for arbitrary, untrusted user submitted code, vm2 is probably not an appropriate tool, instead consider tools that isolate untrusted code from your current application’s nodejs process such as the maintainer recommended isolated-vm or containerized applications.
