GHSA-76W7-J9CQ-RX2J vm2 is Vulnerable to Sandbox Breakout Through Promise Species

Summary VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. Details The localPromise constructor was changed to call this.thenundefined, eater to ensure a rejected promise i...

vm2 安全漏洞

vm2 is a high-level virtual machine/sandbox developed by Czech developer Patrik Simek. It runs untrusted code using built-in Node.js modules listed in the allowlist. Versions of vm2 prior to 3.11.0 have security vulnerabilities; these vulnerabilities stem from the CallSite wrapper class allowing...

Improper Isolation or Compartmentalization

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the setupSandboxScript bootstrap in lib/vm.js and lib/setup-sandbox.js. An attacke...

GHSA-V37H-5MFM-C47C VM2 Has Sandbox Breakout Through Inspect Function

Summary VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. Details The node inspect method allows to log details of objects. To get to the...

CVE-2026-24781

A flaw was found in vm2, an open-source virtual machine VM sandbox for Node.js. This vulnerability allows an attacker to escape the sandbox environment by exploiting the inspect function. Successful exploitation can lead to arbitrary code execution on the host system, compromising the integrity a...

EUVD-2026-4660

vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of...

CVE-2022-31705

VMware ESXi, Workstation, and Fusion contain a heap out-of-bounds write vulnerability in the USB 2.0 controller EHCI. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESX...

PT-2022-5844 · Vmware · Vmware Esxi +2

Name of the Vulnerable Software and Affected Versions: VMware ESXi, Workstation, and Fusion affected versions not specified Description: A heap out-of-bounds write vulnerability in the USB 2.0 controller EHCI allows a malicious actor with local administrative privileges on a virtual machine to...

CVE-2021-38834

easy-mock v1.5.0-v1.6.0 allows remote attackers to bypass the vm2 sandbox and execute arbitrary system commands through special js code...