The VM2 sandbox vulnerabilities could lead to Remote Code Execution, which can have severe impact to the confidentiality, integrity, and availability of the affected system. Attack complexity is low and no authentication is required to exploit these vulnerabilities.
The maintainer of the project announced on the 11th of July that the project is discontinued and no further patches will be made available to fix the vulnerabilities or any other future issue.
The advisories further disclose that proof-of-concept (PoC) code will be released on or after the 5th of September, which will make the exploitation of the weaknesses easier and more likely to occur.
The project got recently deprecated and short after two sandbox escape vulnerabilities were disclosed. The difference is in the way the sandbox is escaped.
CVE-2023-37466 is a critical sandbox escape vulnerability, where the "Promise" handler sanitization can be bypassed and can lead to Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.
CVE-2023-37903 is a critical sandbox escape vulnerability, where the Node.js custom inspect function can be exploited and can lead to a Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.
The Centre for Cybersecurity Belgium strongly recommends to stop using the discontinued VM2 project for production as soon as possible. The developer of the project suggests users to migrate their code to the "isolated-vm" project. This project has not been verified by the CCB. Users are advised to make an assessment on how they will substitute this project for their existing needs.