2 matches found
CVE-2026-22709
vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of...
PT-2023-3541
Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.10.0 Description vm2 is an advanced sandbox for Node.js. A flaw in the sanitization of the Promise handler allows the @@species accessor property to be bypassed. This enables attackers who already have arbitrary code...