New Sandbox Escape Affecting Popular nodejs Sandbox library vm2

Popular Node.js sandboxing library vm2 has announced a critical vulnerability with a CVSS score of 9.8, which allows attackers to bypass promise sanitization and execute arbitrary code, effectively escaping the sandbox. This vulnerability highlights the risks associated with using vm2 to run untrusted code, as a simple exploit can compromise the security of applications leveraging this library. Despite past vulnerabilities leading to a temporary discontinuation announcement, the library remains widely used, especially for internal tools. Users are urged to update to version 3.10.2 immediately to mitigate this risk, as older versions are susceptible to remote code execution vulnerabilities. The vulnerability stems from a fail-open case in the promise catch block configuration, allowing global promise handlers to bypass local scope sanitization, posing significant security threats. The maintainers of vm2 have acknowledged the inherent risks of running arbitrary code and have recommended alternatives like isolated-vm or containerized applications to ensure better isolation and security. This situation underscores the importance of architectural isolation rather than relying solely on sanitization to prevent exploitation.