CVE-2022-36067 is a security vulnerability identified in the vm2 sandbox, a widely used Node.js module designed to safely execute untrusted JavaScript code by restricting access to only whitelisted built-in Node modules. The vulnerability arises from improper control of dynamically-managed code resources (CWE-913), which allows an attacker to bypass the sandbox's security restrictions. Specifically, in vm2 versions prior to 3.9.11, a malicious actor can exploit this flaw to escape the sandbox environment and execute arbitrary code on the host system running the sandbox. This effectively grants remote code execution (RCE) capabilities, which can lead to full system compromise. The vulnerability was patched in version 3.9.11 of vm2, and no known workarounds exist for earlier versions. Although there are no known exploits currently observed in the wild, the nature of the vulnerability—allowing untrusted code to break out of a sandbox—makes it a critical concern for environments relying on vm2 for secure code execution. The vulnerability affects all deployments using vm2 versions below 3.9.11, which may be embedded in various applications and services that execute third-party or user-generated JavaScript code within Node.js environments.

For European organizations, the impact of CVE-2022-36067 can be significant, especially for those relying on vm2 to isolate untrusted code execution in web services, cloud platforms, or development tools. Successful exploitation could lead to unauthorized remote code execution on critical servers, resulting in data breaches, service disruption, or lateral movement within corporate networks. This risk is heightened in sectors such as finance, healthcare, and critical infrastructure, where Node.js-based applications are prevalent and where data confidentiality and system integrity are paramount. Additionally, organizations providing SaaS or PaaS solutions that incorporate vm2 for sandboxing user scripts could face reputational damage and regulatory penalties under GDPR if the vulnerability is exploited to compromise customer data. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits given the public disclosure. The medium severity rating reflects the requirement for the attacker to supply malicious code to the sandboxed environment, but the potential for full host compromise elevates the risk profile for affected organizations.

European organizations should prioritize upgrading all vm2 instances to version 3.9.11 or later to apply the official patch. Since no workarounds exist, patching is the only effective mitigation. Organizations should conduct an inventory of applications and services using vm2, including indirect dependencies in their software supply chain, to identify vulnerable versions. Implementing strict input validation and sanitization on any user-supplied code executed within vm2 sandboxes can reduce the risk of exploitation. Additionally, deploying runtime monitoring and anomaly detection on systems running vm2 can help identify suspicious behavior indicative of sandbox escape attempts. Employing defense-in-depth strategies such as containerization, least privilege execution environments, and network segmentation can limit the impact of a successful exploit. Finally, organizations should review and update incident response plans to address potential RCE incidents originating from sandbox escapes.