The vm2 sandbox for Node.js prior to version 3.11.4 exposed process-wide observability built-in modules (diagnostics_channel, async_hooks, perf_hooks) to sandboxed code when allowed via require.builtin. These modules are not sandbox-local but process-wide, enabling sandboxed code to observe host application data beyond the intended isolation boundary. This constitutes an exposure of resources to an unintended sphere (CWE-668). The vulnerability has been patched in vm2 version 3.11.4.

Sandboxed code can access process-wide observability modules that allow it to monitor host application data, breaking the intended isolation of the vm2 sandbox. This may lead to unintended information disclosure from the host environment to the sandboxed code. There is no indication of privilege escalation or remote code execution from the provided data.

A fix is available in vm2 version 3.11.4 that patches this vulnerability by blocking exposure of these process-wide builtins. Users should upgrade to version 3.11.4 or later to remediate this issue. No other mitigation guidance is provided or required.