vm2 sandbox escape via __lookupGetter__

This repository is a small self-contained JavaScript proof-of-concept for escaping a vulnerable vm2 sandbox in a local lab environment. It contains two code files: lab.js, which creates an Express-based test service exposing POST /execute on localhost:3000 and runs supplied code inside a vm2 VM configured with sandbox {}, timeout 4000, and eval disabled; and exploit.js, which sends a crafted JavaScript payload to that endpoint using fetch. The exploit’s core capability is sandbox escape leading to host-side arbitrary command execution. The payload creates an Error object, sets err.name to a Symbol, invokes an async function returning err.stack, and in the promise rejection path accesses e.constructor.constructor to recover the host Function constructor. It then executes host JavaScript that imports child_process via process.mainModule.require('child_process') and runs shell commands on the underlying system. On success it prints markers plus the output of whoami and id, creates a timestamped proof file in /tmp, and appends an exploitation log entry to /tmp/vm2_lab.log. The repository is not part of a larger exploit framework; it is a standalone operational PoC with a hardcoded target and payload. The README and license are disclaimers only. The exploit is aimed at a deliberately vulnerable local Node.js lab using vm2 version 3.10.1. It is not merely a detector: it actively exploits the sandbox and demonstrates post-escape command execution. A commented section in exploit.js also shows how the payload could be replaced with a bash reverse shell callback to 127.0.0.1:4444, indicating the exploit can be adapted beyond simple proof-file creation.