CVE-2026-44007

A flaw was found in vm2 before 3.11.1. With nesting: true, sandbox code can require'vm2' regardless of outer require settings including require: false, spawn an inner NodeVM with unrestricted require, and execute arbitrary OS commands on the host. Fixed in 3.11.1...

Security Bulletin: IBM Instana Observability for Synthetic PoP is affected by vulnerabilities in vm2

Summary Vulnerabilities in vm2 were addressed in IBM Observability with Instana for Synthetic PoP build 256 CVE-2023-37903, CVE-2023-37466 Vulnerability Details CVEID:CVE-2023-37903 DESCRIPTION: Node.js vm2 module could allow a remote attacker to execute arbitrary code on the system, caused by a...

An outdated dependency leads to to remote command execution vulnerability

Description A few days ago, the vm2 module of nodejs found a sandbox escape vulnerability, which was officially fixed in v3.9.15 However, a fixed vm2 version is hard-coded in the package.jsonv 3.9.11 of the jsreport-core component of jsreport, which makes it impossible to install the latest vm2...

Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServers that use the Box connector may be vulnerable to arbitrary code execution due to CVE-2021-23555

Summary Node.js module vm2 is used by IBM App Connect Enterprise Certified Container by the Box connector in a Designer flow. IBM App Connect Enterprise Certified Container IntegrationServers that use the Box connector may be vulnerable to CVE-2021-23555. This bulletin provides patch information ...

Security Bulletin: A security vulnerability in Node.js vm2 module affects IBM Cloud Automation Manager

Summary A security vulnerability in Node.js vm2 module affects IBM Cloud Automation Manager. Vulnerability Details CVEID: CVE-2021-23449 DESCRIPTION: Node.js vm2 module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By adding or...