Lucene search
K

14 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:25 p.m.10 views

CVE-2026-44003

A flaw was found in vm2 before 3.11.0. A code transformer fast-path skips AST analysis when catch, import, and async are absent, allowing direct access to VM2INTERNALSTATEDONOTUSEORPROGRAMWILLFAIL and internal security functions handleException, wrapWith, import. Fixed in 3.11.0...

5.8CVSS5.8AI score0.00248EPSS
Exploits1References4
NVD
NVD
added 2026/05/13 6:16 p.m.52 views

CVE-2026-44003

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal...

5.8CVSS0.00248EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/05/13 5:30 p.m.7 views

CVE-2026-44003 vm2: Transformer Fast-Path Bypass Exposes Internal State Variable

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal...

5.3CVSS5.8AI score0.00248EPSS
Exploits1References1
OSV
OSV
added 2026/05/08 4:22 p.m.8 views

GHSA-2CM2-M3W5-GP2F vm2 has access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`

Summary https://github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7 is not fully patched. Details It is still possible to get access to VM2INTERNALSTATEDONOTUSEORPROGRAMWILLFAIL. PoC js const VM = require"vm2"; const vm = new VM; console.logvm.run...

5.3CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/05/08 4:22 p.m.24 views

Improper Isolation or Compartmentalization

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the setupSandboxScript bootstrap in lib/vm.js and lib/setup-sandbox.js. An attacker can read the...

6.9CVSS5.9AI score0.00248EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/05/07 4:32 a.m.15 views

vm2's Transformer Fast-Path Bypass Exposes Internal State Variable

Summary vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2INTERNALSTATEDONOTUSEORPROGRAMWILLFAIL variable, which exposes...

5.8CVSS5.8AI score0.00248EPSS
Exploits1References4Affected Software1
Snyk
Snyk
added 2026/05/07 4:32 a.m.12 views

Improper Isolation or Compartmentalization

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the transformer fast-path in the source instrumentation logic. An attacker can expose the internal...

6.9CVSS5.9AI score0.00248EPSS
Exploits1References2
OSV
OSV
added 2026/05/07 4:32 a.m.6 views

GHSA-WP5R-2GW5-M7Q7 vm2's Transformer Fast-Path Bypass Exposes Internal State Variable

Summary vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2INTERNALSTATEDONOTUSEORPROGRAMWILLFAIL variable, which exposes...

5.3CVSS5.8AI score0.00248EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/05/07 12:0 a.m.17 views

PT-2026-38394

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.0 Description A performance optimization in the code transformer skips AST Abstract Syntax Tree analysis when the code does not contain the keywords catch, import, or async. This fast-path bypass allows sandboxed cod...

5.8CVSS5.9AI score0.00248EPSS
Exploits1References7
RedhatCVE
RedhatCVE
added 2025/05/22 9:34 p.m.12 views

CVE-2021-43848

h2o is an open source http server. In code prior to the 8c0eca3 commit h2o may attempt to access uninitialized memory. When receiving QUIC frames in certain order, HTTP/3 server-side implementation of h2o can be misguided to treat uninitialized memory as HTTP/3 frames that have been received. Whe...

7.4CVSS6.8AI score0.02667EPSS
Exploits1
Positive Technologies
Positive Technologies
added 2024/02/21 12:0 a.m.4 views

PT-2024-11692 · Unknown · Livebox Collaboration Vdesk

Name of the Vulnerable Software and Affected Versions: LIVEBOX Collaboration vDesk versions through v031 Description: An issue was discovered in LIVEBOX Collaboration vDesk, where an Observable Response Discrepancy can occur under the "/api/v1/vdeskintegration/user/isenableuser" endpoint, the...

7.5CVSS6.6AI score0.00539EPSS
Exploits0References6
CNNVD
CNNVD
added 2024/02/21 12:0 a.m.5 views

LIVEBOX Collaboration vDesk Security Vulnerability

LIVEBOX Collaboration vDesk is an application from LIVEBOX, Inc. A security vulnerability exists in LIVEBOX Collaboration vDesk v031 and later versions, which originates in the /api/v1/vdeskintegration/user/isenableuser, /login endpoints that provide different responses to incoming requests,...

7.5CVSS6.6AI score0.00539EPSS
Exploits0References2
OSV
OSV
added 2022/02/01 1:15 p.m.3 views

UBUNTU-CVE-2021-43848

h2o is an open source http server. In code prior to the 8c0eca3 commit h2o may attempt to access uninitialized memory. When receiving QUIC frames in certain order, HTTP/3 server-side implementation of h2o can be misguided to treat uninitialized memory as HTTP/3 frames that have been received. Whe...

7.4CVSS6.3AI score0.02667EPSS
Exploits1References4
CNNVD
CNNVD
added 2022/02/01 12:0 a.m.6 views

h2o 安全漏洞

h2o is a new generation of HTTP server. Not only is it very fast compared to older generation HTTP servers, but it also provides faster responses to end users. A security vulnerability exists in h2o, which stems from the fact that when QUIC frames are received in a particular order, h2o's HTTP/3...

7.4CVSS6AI score0.02667EPSS
Exploits1References3
Rows per page
Query Builder