Lucene search
K

4 matches found

Veracode
Veracode
added 2026/01/30 7:56 a.m.6 views

Sandbox Escape

vm2 is vulnerable to Sandbox Escape. The vulnerability is due to incomplete sanitization of Promise callbacks, where globalPromise.prototype.then and catch are not sanitized while localPromise is, this allowing attackers to bypass sandbox restrictions via async function return values and execute...

10CVSS6.2AI score0.01222EPSS
Exploits1References3Affected Software1
EUVD
EUVD
added 2026/01/26 9:32 p.m.8 views

EUVD-2026-4660

vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of...

9.8CVSS5.9AI score0.01222EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/01/26 9:32 p.m.3 views

CVE-2026-22709 vm2 has a Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of...

9.8CVSS5.9AI score0.01222EPSS
Exploits1References3
CVE
CVE
added 2026/01/26 9:32 p.m.41 views

CVE-2026-22709

CVE-2026-22709 affects the vm2 Node.js sandbox module prior to 3.10.2. The vulnerability arises because Promise.prototype.then/catch sanitization is incomplete: the globalPromise path isn’t sanitized in lib/setup-sandbox.js, allowing an attacker to escape the sandbox and execute arbitrary code. U...

10CVSS5.9AI score0.01222EPSS
Exploits1References3Affected Software1
Rows per page
Query Builder