Understanding the Vulnerability
The vulnerability exists in vm2 version 3.10.0 and earlier, where Promise.prototype.then and Promise.prototype.catch callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code on the host system.
The root cause lies in how vm2 handles Promise objects. In lib/setup-sandbox.js, the callback function of localPromise.prototype.then is sanitized, but globalPromise.prototype.then is not. Since the return value of async functions is a globalPromise object, attackers can exploit this gap to break out of the sandbox.
This is particularly concerning because vm2 is specifically designed to run untrusted code safely—a sandbox escape completely defeats its purpose.
Affected Versions
Package: vm2
Affected Versions: <= 3.10.1
Patched Versions: >= 3.10.2
Severity: Critical (CVSS 9.8)
Identifying Your Exposure
StepSecurity provides tools to quickly identify vulnerable packages across your organization:
NPM Package Search: Use our tenant-wide package search to locate all instances of affected vm2 versions across your repositories.
Threat Center Monitoring: StepSecurity's Threat Center provides real-time alerts for critical vulnerabilities like these, enabling rapid response when new threats emerge in your dependency chain.
Immediate Remediation Steps
- Upgrade immediately to vm2 version 3.10.2 or later
- Verify your upgrade using
npm list vm2 - Review indirect dependencies that may include vm2 as a transitive dependency
- Audit usage patterns to ensure vm2 is only used where truly necessary
.png)
.png)
