Lucene search
K

501 matches found

CVE
CVE
added 2026/06/12 2:16 p.m.20 views

CVE-2026-47208

Summary: CVE-2026-47208 affects vm2 prior to 3.11.4, enabling sandbox breakout and potential remote code execution. The root cause is in vm2’s sandbox implementation, where the localPromise constructor manipulates Promise.species and, via a crafted Promise subclass, can trigger a host-realm error...

10CVSS5.7AI score0.0051EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/12 2:16 p.m.8 views

CVE-2026-47140 vm2: NodeVM builtin denylist bypass via process and inspector/promises allows host code execution

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, workerthreads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach...

10CVSS5.6AI score0.00536EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/12 2:16 p.m.11 views

EUVD-2026-36446

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, workerthreads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach...

10CVSS5.6AI score0.00536EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/12 2:16 p.m.29 views

CVE-2026-47140 vm2: NodeVM builtin denylist bypass via process and inspector/promises allows host code execution

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, workerthreads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach...

10CVSS0.00536EPSS
Exploits0References3
CVE
CVE
added 2026/06/12 2:16 p.m.50 views

CVE-2026-47140

CVE-2026-47140 - vm2 NodeVM denylist bypass : The vm2 sandbox (NodeVM) before version 3.11.4 did not block certain host-access primitives: processing modules like process and inspector/promises could be required from sandboxed code to bypass restrictions and execute code in the host process. Root...

10CVSS5.6AI score0.00536EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/12 2:15 p.m.9 views

CVE-2026-47139 vm2: NodeVM network builtin exclusions bypass via internal _http_client and _http_server

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM supports excluding public network builtins from the wildcard builtin option. With this configuration direct access to http, https, http2, net, dgram, tls, dns, and dns/promises is blocked. However, Node.js also exposes...

8.6CVSS5.3AI score0.00282EPSS
Exploits0References3
CVE
CVE
added 2026/06/12 2:15 p.m.24 views

CVE-2026-47139

vm2 NodeVM burlon bypass vulnerability exists where public network modules are blocked but internal underscored HTTP builtins (_http_client, _http_server) remain reachable. The issue allows sandboxed code to perform outbound HTTP requests and open listening sockets despite network exclusions, ena...

8.6CVSS5.3AI score0.00282EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/12 2:15 p.m.12 views

CVE-2026-47137 vm2: GHSA-8hg8-63c5-gwmx patch bypass: nesting:true without explicit require still allows full RCE

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx CVE-2023-37903 introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality options.require === false, which is...

10CVSS5.1AI score0.00382EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/12 2:15 p.m.27 views

CVE-2026-47137 vm2: GHSA-8hg8-63c5-gwmx patch bypass: nesting:true without explicit require still allows full RCE

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx CVE-2023-37903 introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality options.require === false, which is...

10CVSS0.00382EPSS
Exploits0References5
CVE
CVE
added 2026/06/12 2:15 p.m.23 views

CVE-2026-47137

Summary (CVE-2026-47137): The vm2 sandbox (NodeVM) had a bypass in versions prior to 3.11.4 where nesting: true with an unspecified require allowed full host RCE. The issue arose because a security check (options.nesting === true && options.require === false) only catches explicit require: false;...

10CVSS5.1AI score0.00382EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/12 2:14 p.m.9 views

EUVD-2026-36442

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox...

8.7CVSS5.2AI score0.00266EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/12 2:14 p.m.25 views

CVE-2026-47135 vm2: Sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox...

8.7CVSS0.00266EPSS
Exploits0References3
CVE
CVE
added 2026/06/12 2:14 p.m.41 views

CVE-2026-47135

CVE-2026-47135 vm2 sandbox escape : The vm2 sandbox (Node.js) before 3.11.4 exposes real cross-realm Node.js symbols due to an incomplete Symbol.for override (only blocks two of nine dangerous symbols) and missing isDangerousCrossRealmSymbol checks in bridge write traps (set/defineProperty/delete...

8.7CVSS5.2AI score0.00266EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/12 2:14 p.m.7 views

CVE-2026-47131 vm2: Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call.lookupGetter, Buffer, "proto", Buffer.call.call.lookupSetter, Buffer, "proto", and Node.js's ERRINVALIDARGTYPE Error, the host's TypeError constructor can be obtained, which allows the escape from...

10CVSS5.5AI score0.004EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/12 2:14 p.m.26 views

CVE-2026-47131 vm2: Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call.lookupGetter, Buffer, "proto", Buffer.call.call.lookupSetter, Buffer, "proto", and Node.js's ERRINVALIDARGTYPE Error, the host's TypeError constructor can be obtained, which allows the escape from...

10CVSS0.004EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/12 2:14 p.m.9 views

EUVD-2026-36441

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call.lookupGetter, Buffer, "proto", Buffer.call.call.lookupSetter, Buffer, "proto", and Node.js's ERRINVALIDARGTYPE Error, the host's TypeError constructor can be obtained, which allows the escape from...

10CVSS5.4AI score0.004EPSS
Exploits0References3
CVE
CVE
added 2026/06/12 2:14 p.m.24 views

CVE-2026-47131

vm2 prior to 3.11.4 contains a sandbox escape: by using Buffer.call.call with {}.lookupGetter /lookupSetter and Node.js ERR_INVALID_ARG_TYPE, an attacker can obtain the host TypeError constructor and break out of the sandbox, enabling arbitrary code execution. The issue is fixed in vm2 v3.11.4. R...

10CVSS5.4AI score0.004EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/12 2:14 p.m.9 views

CVE-2026-47209 vm2: Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js line 1231 ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy e.g., when a child object...

8.6CVSS5.2AI score0.00287EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/12 2:14 p.m.10 views

EUVD-2026-36440

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js line 1231 ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy e.g., when a child object...

8.6CVSS5.2AI score0.00287EPSS
Exploits0References3
CVE
CVE
added 2026/06/12 2:14 p.m.23 views

CVE-2026-47209

vm2 (Node.js sandbox) had a vulnerability in the BaseHandler.set trap that ignores the receiver parameter and always writes to the host target, enabling inherited-property writes to leak onto host objects via prototype chains. This can allow attackers to assign Symbol-keyed properties (e.g., node...

8.6CVSS5.2AI score0.00287EPSS
Exploits0References3
Rows per page
Query Builder