Lucene search
K

5 matches found

Cvelist
Cvelist
added 2026/05/13 5:17 p.m.53 views

CVE-2026-43997 vm2: Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbolnodejs.util.inspect.custom. This vulnerability...

10CVSS0.00976EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/05/13 5:17 p.m.14 views

CVE-2026-43997 vm2: Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbolnodejs.util.inspect.custom. This vulnerability...

10CVSS6AI score0.00976EPSS
Exploits1References1
OSV
OSV
added 2026/02/25 5:26 p.m.2 views

GHSA-F229-3862-4942 @enclave-vm/core is vulnerable to Sandbox Escape

Summary It is possible to escape the security boundraries set by @enclave-vm/core, which can be used to achieve remote code execution RCE. The issue has been fixed in version 2.11.1. --- Details It is possible to obtain the native Object constructor instead of the SafeObject wrapper. This can be...

10CVSS7AI score0.00878EPSS
Exploits2References4
RedHat Linux
RedHat Linux
added 2022/10/18 9:6 a.m.6 views

nodejs: DNS rebinding in --inspect via invalid IP addresses

A vulnerability was found in NodeJS, where the IsAllowedHost check can be easily bypassed because IsIPAddress does not properly check if an IP address is invalid or not. When an invalid IPv4 address is provided for instance, 10.0.2.555 is provided, browsers such as Firefox will make DNS requests ...

8.1CVSS7.7AI score0.05913EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2021/03/08 10:36 a.m.4 views

nodejs: DNS rebinding in --inspect

A flaw was found in nodejs. A denial of service is possible when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS over the network. If the attacker controls the victim's DNS server or can spoof its response...

7.5CVSS7AI score0.32362EPSS
Exploits1References4
Rows per page
Query Builder