47 matches found
CVE-2026-47141
A flaw was found in vm2, an open-source virtual machine VM sandbox for Node.js. Prior to version 3.11.4, NodeVM, a component of vm2, improperly exposed certain process-wide observability builtins, such as diagnosticschannel, asynchooks, and perfhooks. These builtins, which are designed for...
CVE-2026-47141
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin. The diagnosticschannel, asynchooks, and perfhooks builtins are not blocked by the dangerous builtin denylist. These modules...
EUVD-2026-36449
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin. The diagnosticschannel, asynchooks, and perfhooks builtins are not blocked by the dangerous builtin denylist. These modules...
CVE-2026-47141 vm2: NodeVM observability builtins leak host process and HTTP request data
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin. The diagnosticschannel, asynchooks, and perfhooks builtins are not blocked by the dangerous builtin denylist. These modules...
CVE-2026-47141
CVE-2026-47141 affects vm2 NodeVM where diagnostics_channel, async_hooks, and perf_hooks observability builtins were exposed to sandboxed code before patching in vm2 3.11.4. These process‑wide modules can leak host data (e.g., HTTP headers, AsyncResource state, performance entries) into the sandb...
NodeVM observability builtins leak host process and HTTP request data
Summary NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin. The following builtins are not blocked by the dangerous builtin denylist: text diagnosticschannel asynchooks perfhooks These modules are process-wide, not sandbox-local. Sandboxed code c...
Incomplete List of Disallowed Inputs
Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the NodeVM builtin allowlist in lib/builtin.js. An attacker can read host-process state by supplying a sandb...
GHSA-9G8X-92Q2-P28F NodeVM observability builtins leak host process and HTTP request data
Summary NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin. The following builtins are not blocked by the dangerous builtin denylist: text diagnosticschannel asynchooks perfhooks These modules are process-wide, not sandbox-local. Sandboxed code c...
PT-2026-45023
Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.4 Description NodeVM exposes process-wide observability builtins when they are permitted via require.builtin. Specifically, the diagnostics channel, async hooks, and perf hooks modules are not included in the dangero...
Denial Of Service (DoS)
Node.js is vulnerable to Denial of Service DoS. The vulnerability is due to improper error handling when asynchooks.createHook is enabled, where "Maximum call stack size exceeded" errors become uncatchable and terminate the process instead of reaching uncaughtException, allowing attackers to...
CLSA-2026-1772125283 nodejs: Fix of 4 CVEs
CVE-2025-23167: fix improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. - CVE-2025-59466: fix uncatchable stack overflow exceptions when asynchooks are enabled, preventing denial-of-service crashes in applications using AsyncLocalStorage or...
nodejs: Nodejs denial of service
A stack overflow flaw has been discovered in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when asynchooks.createHook is enabled. Instead of reaching process.on'uncaughtException', the process terminates, making the crash unrecoverable. Applications tha...
nodejs: Nodejs denial of service
A stack overflow flaw has been discovered in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when asynchooks.createHook is enabled. Instead of reaching process.on'uncaughtException', the process terminates, making the crash unrecoverable. Applications tha...
nodejs: Nodejs denial of service
A stack overflow flaw has been discovered in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when asynchooks.createHook is enabled. Instead of reaching process.on'uncaughtException', the process terminates, making the crash unrecoverable. Applications tha...
nodejs: Nodejs denial of service
A stack overflow flaw has been discovered in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when asynchooks.createHook is enabled. Instead of reaching process.on'uncaughtException', the process terminates, making the crash unrecoverable. Applications tha...
nodejs: Nodejs denial of service
A stack overflow flaw has been discovered in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when asynchooks.createHook is enabled. Instead of reaching process.on'uncaughtException', the process terminates, making the crash unrecoverable. Applications tha...
nodejs: Nodejs denial of service
A stack overflow flaw has been discovered in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when asynchooks.createHook is enabled. Instead of reaching process.on'uncaughtException', the process terminates, making the crash unrecoverable. Applications tha...
OPENSUSE-SU-2026:20236-1 Security update for nodejs22
This update for nodejs22 fixes the following issues: Update to 22.22.0: - CVE-2025-55130: file system permissions bypass via crafted symlinks bsc1256569. - CVE-2025-55131: timeout-based race conditions allow for allocations that contain leftover data from previous operations and lead to exposure ...
SUSE SLES15 Security Update : nodejs20 (SUSE-SU-2026:0457-1)
The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0457-1 advisory. - Update to 20.20.0: - CVE-2026-22036: Updated undici to 6.23.0 bsc1256848 - CVE-2025-59465: Add TLSSocket default error handler...
Security update for nodejs20
This update for nodejs20 fixes the following issues: Update to 20.20.0: CVE-2026-22036: Updated undici to 6.23.0 bsc1256848 CVE-2025-59465: Add TLSSocket default error handler bsc1256573 CVE-2025-55132: Disable futimes when permission model is enabled bsc1256571 CVE-2025-55130: Require full read...