cbcvebase.
CVE-2026-45411
published 2026-05-13

CVE-2026-45411: vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.57%
42.8th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the generator is closed using the return function, the value is awaited on and exceptions thrown in the then call will be caught by the runtime and passed to the yield* iterator as the next value. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.3.

Affected

5 ranges
VendorProductVersion rangeFixed in
ansible-automation-platformautomation-portal
patriksimekvm2< 3.11.33.11.3
rhdhrhdh-hub-rhel9
vm2_projectvm2< 3.11.33.11.3
vm2_projectvm2>= 0 < 3.11.33.11.3

Detection & IOCsextracted from sources · hover to see the quote

  • Sandbox escape via yield* expression inside an async generator — monitor for sandboxed code using yield* within async generators, particularly when the generator is closed via the return() function, as this is the specific attack vector for CVE-2026-45411
  • Target environment: vm2 versions prior to 3.11.3 running on Node.js — flag any deployment of vm2 < 3.11.3 as vulnerable to arbitrary host command execution via sandbox escape
  • Unauthenticated remote exploitation possible — any endpoint accepting user-supplied code executed within a vm2 sandbox is an attack surface; alert on remote unauthenticated code submission to vm2-backed services
  • ·Red Hat Developer Hub (rhdh/rhdh-hub-rhel9) is listed as under investigation for this CVE — patch status not yet confirmed
  • ·Ansible Automation Platform self-service portal (ansible-automation-platform/automation-portal) is listed as under investigation for this CVE — patch status not yet confirmed

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa8.6HIGH
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.