A sandbox escape vulnerability exists in vm2 for versions up to 3.9.17. It abuses an unexpected creation of a host object based on the specification of Proxy, and allows RCE via Function
in the host context.
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.