This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A critical Sandbox Escape in `vm2` (Node.js VM). <br>π₯ **Consequences**: Attackers bypass isolation, executing **Arbitrary Code** on the host. Total loss of security boundary.
Q2Root Cause? (CWE/Flaw)
π‘οΈ **Root Cause**: Improper handling of `SuppressedError`. <br>π **CWE**: CWE-94 (Code Injection). The sandbox fails to suppress error contexts correctly, leaking host context.
Q3Who is affected? (Versions/Components)
π¦ **Affected**: `patriksimek/vm2` library. <br>π **Versions**: All versions **prior to 3.11.0**. <br>β **Fixed**: Version 3.11.0 and later.
Q4What can hackers do? (Privileges/Data)
π **Privileges**: Full Host Access. <br>πΎ **Data**: Read/Write arbitrary files, execute system commands. <br>π **Impact**: Complete Server Compromise (CVSS: High/Critical).
π **Check**: Scan for `vm2` dependency in `package.json`. <br>π **Version**: Check if version < 3.11.0. <br>π οΈ **Tool**: Use SAST/DAST tools detecting CWE-94 in Node.js sandboxes.
Q8Is it fixed officially? (Patch/Mitigation)
β **Fixed**: Yes. <br>π§ **Patch**: Upgrade to **vm2 v3.11.0+**. <br>π **Ref**: See GitHub Release v3.11.0 for details.
Q9What if no patch? (Workaround)
π§ **No Patch?**: <br>1. **Isolate**: Run untrusted code in separate containers/processes. <br>2. **Disable**: Remove `vm2` if not strictly needed. <br>3. **Monitor**: Log for suspicious child process spawns.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: **CRITICAL**. <br>π **Priority**: **P0**. <br>π’ **Action**: Patch immediately. CVSS is High (H/H/H). No auth needed. High risk of active exploitation.