83 matches found
CVE-2026-47140
A flaw was found in vm2, an open-source virtual machine VM sandbox for Node.js. This vulnerability allows sandboxed code to bypass intended security restrictions by exploiting missing entries in the denylist for dangerous Node.js built-in functions, specifically process and inspector/promises. A...
CVE-2026-47140
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, workerthreads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach...
EUVD-2026-36448
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, a sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI WebAssembly.promising / WebAssembly.Suspending...
EUVD-2026-36446
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, workerthreads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach...
CVE-2026-47140 vm2: NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, workerthreads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach...
CVE-2026-47140 vm2: NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, workerthreads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach...
CVE-2026-47140
CVE-2026-47140 - vm2 NodeVM denylist bypass : The vm2 sandbox (NodeVM) before version 3.11.4 did not block certain host-access primitives: processing modules like process and inspector/promises could be required from sandboxed code to bypass restrictions and execute code in the host process. Root...
GHSA-RP36-8XQ3-R6C4 NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
Summary NodeVM blocks several dangerous Node.js builtins such as module, workerthreads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass...
NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
Summary NodeVM blocks several dangerous Node.js builtins such as module, workerthreads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass...
Improper Control of Dynamically-Managed Code Resources
Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources through the WebAssembly.promising and WebAssembly.Suspending JSPI APIs in...
GHSA-6J2X-VHQR-QR7Q vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass
Summary A sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI WebAssembly.promising / WebAssembly.Suspending. In the tested configuration, a JSPI-backed Promise can reach...
Cross-site Scripting (XSS)
Overview svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper serialization of hydratable promises. An attacker can execute arbitrary scripts in the context of the affected application by supplying specially...
PT-2026-38391
Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.0 Description A sandbox boundary violation allows host object identity to cross into the sandbox through host Promise resolution. When a host-side Promise that resolves to a host object is exposed to the sandbox, the...
EUVD-2026-17180
An incomplete fix for CVE-2024-36137 leaves FileHandle.chmod and FileHandle.chown in the promises API without the required permission checks, while their callback-based equivalents fs.fchmod, fs.fchown were correctly patched. As a result, code running under --permission with restricted...
CVE-2026-21716
An incomplete fix for CVE-2024-36137 leaves FileHandle.chmod and FileHandle.chown in the promises API without the required permission checks, while their callback-based equivalents fs.fchmod, fs.fchown were correctly patched. As a result, code running under --permission with restricted...
CVE-2026-21716
An incomplete fix for CVE-2024-36137 leaves FileHandle.chmod and FileHandle.chown in the promises API without the required permission checks, while their callback-based equivalents fs.fchmod, fs.fchown were correctly patched. As a result, code running under --permission with restricted...
CVE-2026-21716
An incomplete fix for CVE-2024-36137 leaves FileHandle.chmod and FileHandle.chown in the promises API without the required permission checks, while their callback-based equivalents fs.fchmod, fs.fchown were correctly patched. As a result, code running under --permission with restricted...
CVE-2026-21716
CVE-2026-21716 : An incomplete fix for CVE-2024-36137 leaves FileHandle.chmod() and FileHandle.chown() in the promises API without required permission checks, while their callback-based counterparts were patched. This can allow code running under --permission with a restricted --allow-fs-write to...
CVE-2026-21716
An incomplete fix for CVE-2024-36137 leaves FileHandle.chmod and FileHandle.chown in the promises API without the required permission checks, while their callback-based equivalents fs.fchmod, fs.fchown were correctly patched. As a result, code running under --permission with restricted...
Node.js: Permission Model bypass via FileHandle.utimes() in the promises API
Vulnerability description not provided...