CVE-2026-43997

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbolnodejs.util.inspect.custom. This vulnerability...

vm2 安全漏洞

vm2 is a high-level virtual machine/sandbox developed by Czech developer Patrik Simek. It runs untrusted code using Node’s built-in modules listed in the allowlist. Versions of vm2 prior to 3.11.0 have security vulnerabilities; these vulnerabilities stem from sandbox boundary violations. During...

vm2 代码注入漏洞

vm2 is a high-level virtual machine/sandbox for Node.js developed by Czech developer Patrik Simek. It runs untrusted code using Node’s built-in modules listed in the allowlist. Versions of vm2 prior to 3.11.0 had a code injection vulnerability; this vulnerability stemmed from the possibility of...

NPM: vm2 Access to Host Object Enables Sandbox Escape

NPM: vm2 Access to Host Object Enables Sandbox Escape vulnerability discovered by ? in WordPress Npm vm2 versions = 3.10.5...

vm2 Access to Host Object Enables Sandbox Escape

Summary It is possible to obtain the host Object, https://github.com/patriksimek/vm2/commit/ebcfe94ad2f864f0bc35e78cff1d921107cfd160 added some protections, but the implementation is incomplete. Details There are various ways to use the host Object, to escape the sandbox, one example would be usi...

CVE-2023-30989

IBM Performance Tools for i 7.2, 7.3, 7.4, and 7.5 contains a local privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain all object access to the host operating system. IBM X-Force ID: 254017...

IBM i 安全漏洞

IBM i is a suite of operating systems from International Business Machines IBM running in IBM Power Systems and IBM PureSystems. A security vulnerability exists in IBM i versions 7.2, 7.3, 7.4, and 7.5, which can be exploited by an attacker to elevate privileges and gain access to all objects in...

GHSA-4W2J-2RG4-5MJW vm2 vulnerable to Arbitrary Code Execution

The package vm2 before 3.9.10 is vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise...

CVE-2022-25893

The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise...

vm2 安全漏洞

vm2 is an advanced virtual machine/sandbox for Node.js by individual developer Patrik Simek in the Czech Republic. to run untrusted code using whitelisted Node built-in modules. A security vulnerability exists in vm2 versions prior to 3.9.10, which stems from the use of prototype lookups in the...