Lucene search
K

9 matches found

Snyk
Snyk
added 2026/05/07 4:29 a.m.10 views

Improper Isolation or Compartmentalization

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the globalPromise.prototype.then onFulfilled wrapper in the Promise bridge. An...

7.2CVSS5.6AI score0.002EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/01/28 3:16 a.m.5 views

CVE-2026-22709

vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of...

10CVSS6AI score0.01222EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/01/26 9:32 p.m.3 views

CVE-2026-22709 vm2 has a Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of...

9.8CVSS5.9AI score0.01222EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/01/26 9:32 p.m.3 views

CVE-2026-22709

vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of...

9.8CVSS5.9AI score0.01222EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/01/26 9:32 p.m.9 views

CVE-2026-22709 vm2 has a Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of...

9.8CVSS5.9AI score0.01222EPSS
Exploits1References5
CVE
CVE
added 2026/01/26 9:32 p.m.43 views

CVE-2026-22709

CVE-2026-22709 affects the vm2 Node.js sandbox module prior to 3.10.2. The vulnerability arises because Promise.prototype.then/catch sanitization is incomplete: the globalPromise path isn’t sanitized in lib/setup-sandbox.js, allowing an attacker to escape the sandbox and execute arbitrary code. U...

10CVSS5.9AI score0.01222EPSS
Exploits1References3Affected Software1
Snyk
Snyk
added 2026/01/26 6:57 p.m.6 views

Improper Control of Dynamically-Managed Code Resources

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources due to the unsafe usage of the .call with globalPromise.prototype.then callback function. An...

10CVSS6.2AI score0.01222EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/01/26 12:0 a.m.5 views

PT-2026-4821

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.10.2 Description vm2 is a Node.js library used to create sandboxed environments for executing untrusted code. A flaw exists in versions prior to 3.10.2 where the sanitization of Promise.prototype.then and...

10CVSS9AI score0.01222EPSS
Exploits1References58
EUVD
EUVD
added 2025/11/12 4:29 a.m.3 views

EUVD-2025-111262

Malicious code in mensa-global-promise-upgrade npm...

6.6AI score
Exploits0
Rows per page
Query Builder