CVE-2026-44007

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require'vm2' regardless of the outer VM's require configuration — including require: false. With access to vm2, the sandbox constructs a new inner NodeVM wi...

Security Bulletin: IBM Instana Observability for Synthetic PoP is affected by vulnerabilities in vm2

Summary Vulnerabilities in vm2 were addressed in IBM Observability with Instana for Synthetic PoP build 256 CVE-2023-37903, CVE-2023-37466 Vulnerability Details CVEID:CVE-2023-37903 DESCRIPTION: Node.js vm2 module could allow a remote attacker to execute arbitrary code on the system, caused by a...

An outdated dependency leads to to remote command execution vulnerability

Description A few days ago, the vm2 module of nodejs found a sandbox escape vulnerability, which was officially fixed in v3.9.15 However, a fixed vm2 version is hard-coded in the package.jsonv 3.9.11 of the jsreport-core component of jsreport, which makes it impossible to install the latest vm2...

Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServers that use the Box connector may be vulnerable to arbitrary code execution due to CVE-2021-23555

Summary Node.js module vm2 is used by IBM App Connect Enterprise Certified Container by the Box connector in a Designer flow. IBM App Connect Enterprise Certified Container IntegrationServers that use the Box connector may be vulnerable to CVE-2021-23555. This bulletin provides patch information ...

Security Bulletin: A security vulnerability in Node.js vm2 module affects IBM Cloud Automation Manager

Summary A security vulnerability in Node.js vm2 module affects IBM Cloud Automation Manager. Vulnerability Details CVEID: CVE-2021-23449 DESCRIPTION: Node.js vm2 module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By adding or...