CVE-2026-44001

A flaw was found in vm2 before 3.11.0. Sandboxed code can crash the host Node.js process via a Promise constructor that triggers an unhandled rejection propagating to the host; the CVE-2026-22709 fix only sanitized .then/.catch callbacks, not the executor path. Fixed in 3.11.0. Mitigation Upgrade...

CVE-2026-44001

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 v3.10....

CVE-2026-44001 vm2: Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 v3.10....

CVE-2026-44001 vm2: Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 v3.10....

CVE-2026-44001

Summary : CVE-2026-44001 affects vm2 before version 3.11.0, where a sandbox escape allows sandboxed code to crash the host Node.js process via an unhandled rejection from a Promise executor. The issue stems from the executor path not being sanitized, even though the earlier CVE-2026-22709 fix add...

Uncaught Exception

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Uncaught Exception through the Promise constructor when an unhandled rejection propagates from the sandboxed environment to the host...

NPM: vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)

NPM: vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection Process Crash DoS vulnerability discovered by ? in WordPress Npm vm2 versions = 3.10.5...

GHSA-HW58-P9XV-2MJH vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)

Summary A sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 v3.10.2 only sanitized the onRejected callback in .then and...

PT-2026-38392

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.0 Description A sandbox escape allows sandboxed code to crash the host Node.js process. This occurs when a Promise constructor triggers an unhandled rejection that propagates to the host. Specifically, when sandboxed...

PT-2024-9874 · Pwndoc · Pwndoc

Name of the Vulnerable Software and Affected Versions: PwnDoc versions up to and including 0.5.3 Description: The issue is related to insufficient input validation in the audits interface of the PwnDoc tool, which can be exploited by an authenticated user to crash the backend by raising an...

GHSA-C7QV-Q95Q-8V27 Denial of service in http-proxy-middleware

Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service DoS due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths...

ZEIT Next.js 代码问题漏洞

ZEIT Next.js is an open source web application framework from ZEIT based on Vue.js, Node.js, Webpack and Babel.js. A security vulnerability exists in ZEIT Next.js that stems from the fact that when a specific request is sent to the Next.js server, it may cause an unhandledRejection in the server,...

GHSA-WFF4-FPWG-QQV3 Unexpected server crash in Next.js

Impact When specific requests are made to the Next.js server it can cause an unhandledRejection in the server which can crash the process to exit in specific Node.js versions with strict unhandledRejection handling. - Affected: All of the following must be true to be affected by this CVE - Node.j...