32 matches found
CVE-2023-29199
The CVE-2023-29199 issue affects the vm2 Node.js module, specifically its source code transformer’s exception sanitization. Versions up to 3.9.15 are vulnerable to a sandbox bypass in handleException(), enabling leakage of unsanitized host exceptions and potential remote code execution in the hos...
CVE-2022-36067
CVE-2022-36067 (vm2) is a Node.js sandbox vulnerability in the vm2 library. In versions prior to 3.9.11, the sandbox protections can be bypassed, allowing a threat actor to gain remote code execution on the host running the sandbox. The issue has been fixed in vm2 3.9.11. The Initial Description ...
CVE-2023-30547
The connected IBM security bulletin confirms CVE-2023-30547 for vm2: a flaw in exception sanitization allows raising an unsanitized host exception inside handleException(), enabling sandbox escape and potential code execution in the host. Affected vm2 versions up to 3.9.16 are vulnerable; the iss...
CVE-2023-29017
VM2 (Node sandbox) contains a RCE flaw prior to 3.9.15 where host objects passed to Error.prepareStackTrace during unhandled async errors could bypass sandbox protections. Patched in vm2 release 3.9.15. Affected: vm2 versions before 3.9.15; remediation is to upgrade to 3.9.15 or later. The descri...
CVE-2023-32314
VM2 security summary (CVE family) VM2’s sandbox has multiple confirmed security issues affecting versions up to 3.9.19, including sandbox escapes and remote code execution. Notable entries in connected docs describe: (1) escape via host objects created under Proxy in vm2
CVE-2021-23555
The CVE-2021-23555 entry concerns the Node.js vm2 sandbox module (pre-3.9.6) allowing a sandbox bypass via direct access to host error objects generated during stack-trace creation, enabling possible remote arbitrary code execution. Concrete details across connected docs indicate this affects vm2...
CVE-2023-37903
CVE-2023-37903 — vm2 (Node.js sandbox) Affected: vm2 versions up to and including 3.9.19, which is an open-source VM/sandbox for Node.js. Root cause: The library’s sandbox escape can be triggered via the Node.js custom inspect function, enabling an attacker to escape the sandbox and execute code ...
CVE-2023-37466
CVE-2023-37466 — vm2 (Node.js sandbox): The initial description confirms critical sandbox escape risk in vm2 versions up to 3.9.19 due to bypass of Promise handler sanitization via the @@species accessor, enabling attackers to escape the sandbox and potentially achieve remote code execution withi...
CVE-2022-25893
CVE-2022-25893 affects the vm2 Node.js module (pre-3.9.10) and is caused by a prototype pollution flaw in WeakMap.prototype.set, enabling an attacker to access host objects and potentially compromise the sandbox, leading to arbitrary code execution. Reported impact in the sources: remote code exe...
CVE-2023-32313
Affected software: vm2 (Node.js sandbox). The connected documents confirm CVE-2023-32313 affects vm2 versions 3.9.17 and earlier, where an attacker could obtain a read-write reference to Node’s inspect method and modify options for console.log, enabling potential tampering with console output. Th...
CVE-2021-23449
The CVE-2021-23449 entry concerns the Node.js vm2 package (pre-3.9.4). A Prototype Pollution flaw allows an attacker to modify Object.prototype via proto /constructor payloads, which can lead to sandbox escape and execution of arbitrary code on the host. Impact is described as remote code executi...
CVE-2019-10761
CVE-2019-10761 affects vm2 before 3.6.11. A RangeError can be triggered from the host by infinite recursion within the sandbox, allowing the attacker to reference the host’s mainModule and spawn a child_process to execute arbitrary code. Documented exploits/pocs demonstrate sandbox escape and rem...
CVE-2026-22709
CVE-2026-22709 affects the vm2 Node.js sandbox module prior to 3.10.2. The vulnerability arises because Promise.prototype.then/catch sanitization is incomplete: the globalPromise path isn’t sanitized in lib/setup-sandbox.js, allowing an attacker to escape the sandbox and execute arbitrary code. U...
CVE-2026-45411
vm2 is a Node.js sandbox; prior to 3.11.3, an async generator yield* can cause host exceptions to escape the VM when the generator is closed with return, with exceptions from then being routed to the yield* iterator as the next value, enabling arbitrary host commands. This is fixed in 3.11.3. The...
CVE-2026-24781
vm2 is an open source Node.js sandbox; prior to version 3.11.0 it suffers a sandbox breakout through the inspect function that allows code to escape the VM2 sandbox and run arbitrary host commands. The issue has been fixed in version 3.11.0. Affected: vm2 (Node.js VM2 sandbox); root cause: sandbo...
CVE-2026-43997
CVE-2026-43997 affects the vm2 sandbox for Node.js. The vuln enables an attacker to obtain the host Object and escape the sandbox, potentially leading to arbitrary code execution (RCE). Affected versions were
CVE-2026-44001
Summary : CVE-2026-44001 affects vm2 before version 3.11.0, where a sandbox escape allows sandboxed code to crash the host Node.js process via an unhandled rejection from a Promise executor. The issue stems from the executor path not being sanitized, even though the earlier CVE-2026-22709 fix add...
CVE-2026-44002
CVE-2026-44002 affects the vm2 sandbox for Node.js. Before 3.11.0, the CallSite wrapper blocks getThis() and getFunction() but allows getFileName() to reveal unsanitized host absolute paths. This enables sandboxed code to leak the host directory structure, library paths, and framework versions (v...
CVE-2026-44008
CVE-2026-44008 describes a vm2 sandbox escape in the Node.js vm2 library. Before version 3.11.2, the method neutralizeArraySpeciesBatch could interact with objects from the outside and, via a getter on Array.prototype, expose host objects to the sandbox, allowing an attacker to access the host Fu...
CVE-2026-24118
VM2 (Node.js VM/Sandbox) prior to version 3.11.0 contains a sandbox breakout vulnerability that allows attackers to escape the VM2 sandbox and run arbitrary commands on the host. Impact is described as high for confidentiality, integrity, and availability. The issue has been fixed in version 3.11...
CVE-2026-44003
vm2 (Node.js sandbox) prior to version 3.11.0 includes a transformer fast-path that bypasses AST analysis when code does not contain catch, import, or async, allowing sandboxed code to access internal state VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL and its security helpers (handleExcepti...
CVE-2026-44009
vm2 (Node.js sandbox) contains a sandbox-breakout vulnerability: CVE-2026-44009, triggered by a null-proto exception in handleException, can let an attacker access the host Function and run arbitrary code, enabling remote-code-execution within the host. Affected: versions ≤ 3.11.1; patched in 3.1...
CVE-2026-44007
vm2 contains a vulnerability where creating a NodeVM with nesting: true allows sandbox code to bypass outer VM restrictions (e.g., require: false) and construct an inner NodeVM with unrestricted require settings to execute host commands. Affected: vm2 versions up to 3.11.0 (and prior to 3.11.1). ...
CVE-2026-26956
CVE-2026-26956 concerns the vm2 sandbox for Node.js. Affected: vm2 v3.10.4 allows full sandbox escape enabling arbitrary code execution when code runs inside VM.run(); attacker code can access the host process and execute host commands. Patch available in v3.10.5. Impact flags from CVSS indicate ...
CVE-2026-44006
vm2 (Node.js sandbox) contains a code execution risk via a vulnerability in BaseHandler.getPrototypeOf that can enable sandbox escape and remote code execution. The CVE-2026-44006 flaw affects versions up to 3.10.x and is fixed in 3.11.0. Exploitation relies on reaching BaseHandler.getPrototypeOf...
CVE-2026-44004
CVE-2026-44004 affects vm2, an open‑source VM/sandbox for Node.js. Before version 3.11.0, sandboxed code can call Buffer.alloc() with any size, allocating host-heap memory directly via a synchronous C++ call; vm2’s timeout cannot interrupt such calls. A single request can exhaust memory and crash...
CVE-2026-44005
The CVE-2026-44005 entry concerns vm2, a Node.js sandbox library. From versions 3.9.6 through 3.10.5, vm2’s bridge exposes mutable host-intrinsic prototypes and forwards sandbox writes into host objects, enabling attacker-controlled code inside a sandbox (default VM or inherited NodeVM) to mutate...
CVE-2026-24120
Technical details about CVE-2026-24120 are not publicly available in the provided documents. The affected components, root cause, impact, and fixes are not specified here. Monitor for updates.
CVE-2026-44000
CVE-2026-44000 (vm2) : A sandbox boundary bypass in vm2 prior to version 3.11.0 allows host object identity to cross into the sandbox via host Promise resolution. When a host-side Promise resolves to a host object and is exposed to the sandbox, the value delivered to the sandbox .then() callback ...
CVE-2026-43999
CVE-2026-43999 affects vm2’s NodeVM when the builtins allowlist is configured with a wildcard that includes the module builtin. Prior to version 3.11.0, the module builtin can bypass vm2’s allowlist via Module._load, because vm2 exposes the host’s Module object through a readonly proxy that still...
CVE-2026-43998
The CVE-2026-43998 issue affects vm2 (NodeVM) where require.root restrictions can be bypassed via filesystem symlinks. The root cause is that path.resolve() is used for validation (which does not dereference symlinks) while Node’s native require() follows symlinks, enabling sandboxed host code to...
CVE-2026-26332
vm2 (Node.js sandbox) contains a sandbox-escape vulnerability: prior to 3.11.0, SuppressedError can allow code execution outside the sandbox. The issue is fixed in version 3.11.0. Affected software: vm2; impact described as arbitrary code execution with sandbox escape. No exploitation details are...