Xmiliah

**Name of the Vulnerable Software and Affected Versions** vm2 versions prior to 3.11.3 **Description** A sandbox breakout allows attackers to execute arbitrary commands on the host system. This occurs because a host exception can be caught using the `yield*` expression within an async generator. When the generator is closed via the `return` function, the value is awaited, and exceptions thrown in the `then` call are caught by the runtime and passed to the `yield*` iterator as the next value. **Recommendations** Update to version 3.11.3.

**Name of the Vulnerable Software and Affected Versions** VM2 (affected versions not specified) **Description** A sandbox breakout allows attackers to execute arbitrary commands on the host system. The issue occurs because the `neutralizeArraySpeciesBatch()` function interacts with objects from an external context and can trigger a getter on the array prototype, exposing host objects into the sandbox. This mechanism enables an attacker to obtain the host `Function` object and achieve remote code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** VM2 (affected versions not specified) **Description** A sandbox breakout allows attackers to write code that escapes the VM2 sandbox to execute arbitrary commands on the host system. This occurs in the `handleException()` function where exceptions with a null prototype are assumed to be proxied from another side. By throwing and catching an object with a null prototype, an attacker can obtain both the proxied and unproxied versions of a sandbox object, enabling access to the host `Function` object and resulting in Remote Code Execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** vm2 versions prior to 3.11.0 **Description** vm2 is an open source sandbox for Node.js. A sandbox breakout occurs through the `inspect()` function, allowing attackers to write code that escapes the sandbox environment and executes arbitrary commands on the host system. **Recommendations** Update to version 3.11.0. As a temporary workaround, consider restricting the use of the `inspect()` function until the update is applied.

**Name of the Vulnerable Software and Affected Versions** vm2 versions prior to 3.10.5 **Description** An insufficient fix in the sandbox implementation allows attackers to bypass security restrictions, enabling them to escape the VM2 sandbox and execute arbitrary commands on the host system. This is possible because the `resetPromiseSpecies()` function, which is intended to reset the `species` property of promise objects, relies on `[].includes` and `Object.defineProperty`. These functions can be overwritten to prevent the property from being changed, leading to remote code execution if an attacker can run arbitrary code within the sandbox context. **Recommendations** Update to version 3.10.5.

**Name of the Vulnerable Software and Affected Versions** vm2 versions prior to 3.11.0 **Description** vm2 is an open source sandbox for Node.js that contains a sandbox breakout issue caused by incorrect code generation management. This allows attackers to bypass JavaScript sandbox isolation and execute arbitrary commands on the host system. The issue stems from the ` lookupGetter ` method, which can switch between host and sandbox versions when passed to another context. By using the host `apply` method via `Buffer.apply`, an attacker can access getters in the host context. This process enables the retrieval of the host `Function.prototype` object and the host `Function` through the `constructor` property, allowing the creation and execution of code in the host context. Attempts to mitigate this using `Object.getOwnPropertyDescriptor` to access the `constructor` property can circumvent previous fixes. **Recommendations** Update to version 3.11.0.

**Name of the Vulnerable Software and Affected Versions** vm2 versions prior to 3.9.10 **Description** The issue is related to Arbitrary Code Execution due to the usage of prototype lookup for the `WeakMap.prototype.set` method. This allows access to a host object and can lead to a sandbox compromise. **Recommendations** For versions prior to 3.9.10, update to version 3.9.10 or later to resolve the issue. As a temporary workaround, consider restricting the usage of the `WeakMap.prototype.set` method until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** vm2 versions prior to 3.6.11 **Description** The issue allows an attacker to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script, allowing it to spawn a child process and execute arbitrary code. **Recommendations** For versions prior to 3.6.11, update to version 3.6.11 or later to resolve the issue. As a temporary workaround, consider restricting the use of infinite recursion in scripts to minimize the risk of exploitation.