Lucene search
K

7 matches found

OSV
OSV
added 2026/05/07 4:10 a.m.6 views

GHSA-HW58-P9XV-2MJH vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)

Summary A sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 v3.10.2 only sanitized the onRejected callback in .then and...

8.6CVSS5.9AI score0.00448EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/05/07 4:10 a.m.15 views

vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)

Summary A sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 v3.10.2 only sanitized the onRejected callback in .then and...

10CVSS7.6AI score0.01222EPSS
Exploits2References5Affected Software1
RedhatCVE
RedhatCVE
added 2026/01/28 3:16 a.m.5 views

CVE-2026-22709

vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of...

10CVSS6AI score0.01222EPSS
Exploits1References1
CVE
CVE
added 2026/01/26 9:32 p.m.41 views

CVE-2026-22709

CVE-2026-22709 affects the vm2 Node.js sandbox module prior to 3.10.2. The vulnerability arises because Promise.prototype.then/catch sanitization is incomplete: the globalPromise path isn’t sanitized in lib/setup-sandbox.js, allowing an attacker to escape the sandbox and execute arbitrary code. U...

10CVSS5.9AI score0.01222EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/01/26 9:32 p.m.3 views

CVE-2026-22709 vm2 has a Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of...

9.8CVSS5.9AI score0.01222EPSS
Exploits1References3
Circl
Circl
added 2026/01/26 7:10 p.m.10 views

CVE-2026-22709

creationtimestamp| type| source ---|---|--- 2026-01-26 19:10:38+00:00| seen| https://gist.github.com/alon710/1a9dd02522093ff2ceb805cf35c0f14f 2026-01-26 22:34:23+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mdechvpf7f2g 2026-01-27 01:25:49+00:00| seen|...

10CVSS8.1AI score0.01222EPSS
Exploits1References22
vulnersOsv
vulnersOsv
added 2026/01/26 6:57 p.m.8 views

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-22709 via org.webjars.npm:vm2 (=3.9.19)

org.webjars.npm:vm2 MAVEN version =3.9.19 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vm2 and may be impacted: - org.webjars.npm:degenerator =4.0.4 - org.webjars.npm:pac-resolver =6.0.2 - org.webjars.npm:rocket.chatapps-engine =1.35...

10CVSS7.4AI score0.01222EPSS
Exploits1
Rows per page
Query Builder