GHSA-947f-4v7f-x2v8

Summary

NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module._load(), which loads any module by name directly in the host context, completely bypassing vm2's builtin restriction. This allows sandboxed code to load excluded builtins like child_process and achieve remote code execution.

Severity

Critical (CVSS 3.1: 9.9)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

• Attack Vector: Network — sandboxed code is typically received from external sources (user-submitted scripts, plugin code)
• Attack Complexity: Low — no special conditions required; ['*', '-child_process'] is a common, documented pattern
• Privileges Required: Low — attacker needs only the ability to submit code to the sandbox, which is the intended use case
• User Interaction: None
• Scope: Changed — escape from sandbox boundary to host system
• Confidentiality Impact: High — arbitrary command execution on the host
• Integrity Impact: High — arbitrary command execution on the host
• Availability Impact: High — arbitrary command execution on the host

Affected Component

• lib/builtin.js — makeBuiltinsFromLegacyOptions() (lines 109-117) — includes module in '*' expansion
• lib/builtin.js — addDefaultBuiltin() (lines 86-90) — loads module with generic readonly wrapper
• lib/builtin.js — SPECIAL_MODULES (line 61) — does NOT include module

CWE

• CWE-863: Incorrect Authorization

Description

Root Cause: The module builtin provides unrestricted host module loading

When builtin: ['*', '-child_process'] is configured, makeBuiltinsFromLegacyOptions iterates over BUILTIN_MODULES and adds all modules not explicitly excluded:

// lib/builtin.js:40
const BUILTIN_MODULES = (nmod.builtinModules || Object.getOwnPropertyNames(process.binding('natives')))
    .filter(s=>!s.startsWith('internal/'));

//...