Patriksimek Vm2 vulnerabilities
34 known vulnerabilities affecting patriksimek/vm2.
Total CVEs
34
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL24HIGH6MEDIUM4
Vulnerabilities
Page 1 of 2
CVE-2023-30547P1CRITICALCVSS 10.0fixed in 3.9.172023-04-17
CVE-2023-30547 [CRITICAL] CWE-74 CVE-2023-30547: vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulne
nvd
CVE-2023-37466P2CRITICALCVSS 10.0PoCfixed in 3.10.52023-07-14
CVE-2023-37466 [CRITICAL] CWE-94 CVE-2023-37466: vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should
vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run
nvd
CVE-2022-36067P1CRITICALCVSS 10.0fixed in 3.9.112022-09-06
CVE-2022-36067 [CRITICAL] CWE-913 CVE-2022-36067: vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions p
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.
nvd
CVE-2023-29017P2CRITICALCVSS 9.8fixed in 3.9.152023-04-06
CVE-2023-29017 [CRITICAL] CWE-913 CVE-2023-29017: vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to vers
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. T
nvd
CVE-2023-32314P2CRITICALCVSS 10.0fixed in 3.9.182023-05-15
CVE-2023-32314 [CRITICAL] CWE-74 CVE-2023-32314: vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerab
vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights o
nvd
CVE-2023-29199P2CRITICALCVSS 10.0fixed in 3.9.162023-04-14
CVE-2023-29199 [CRITICAL] CWE-913 CVE-2023-29199: There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for ve
There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remo
nvd
CVE-2026-43999P2CRITICALCVSS 9.9fixed in 3.11.02026-05-13
CVE-2026-43999 [CRITICAL] CWE-863 CVE-2026-43999: vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be byp
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module._load(), which loads any module by name directly in the host context, completely bypassing vm2's builtin restriction. This allows san
nvd
CVE-2023-37903P2CRITICALCVSS 10.0fixed in 3.11.42023-07-21
CVE-2023-37903 [CRITICAL] CWE-78 CVE-2023-37903: vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.j
vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches an
nvd
CVE-2026-47208P2CRITICALCVSS 10.0fixed in 3.11.42026-06-12
CVE-2026-47208 [CRITICAL] CWE-913 CVE-2026-47208: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox br
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.4.
nvd
CVE-2026-22709P2CRITICALCVSS 10.0fixed in 3.11.02026-01-26
CVE-2026-22709 [CRITICAL] CWE-94 CVE-2026-22709: vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.the
vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.p
nvd
CVE-2026-24781P2CRITICALCVSS 9.8fixed in 3.11.02026-05-04
CVE-2026-24781 [CRITICAL] CWE-94 CVE-2026-24781: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox br
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.
nvd
CVE-2026-47140P2CRITICALCVSS 10.0fixed in 3.11.42026-06-12
CVE-2026-47140 [CRITICAL] CWE-693 CVE-2026-47140: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangero
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed co
nvd
CVE-2026-26332P2CRITICALCVSS 10.0fixed in 3.11.02026-05-04
CVE-2026-26332 [CRITICAL] CWE-94 CVE-2026-26332: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attack
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.
nvd
CVE-2026-26956P2CRITICALCVSS 9.8v= 3.10.42026-05-04
CVE-2026-26956 [CRITICAL] CWE-693 CVE-2026-26956: vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox e
vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.
nvd
CVE-2026-24118P2CRITICALCVSS 9.8fixed in 3.11.02026-05-04
CVE-2026-24118 [CRITICAL] CWE-94 CVE-2026-24118: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox br
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.
nvd
CVE-2026-47210P2CRITICALCVSS 9.8fixed in 3.11.42026-06-12
CVE-2026-47210 [CRITICAL] CWE-913 CVE-2026-47210: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, a sandbox escape vulnerabilit
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, a sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI (WebAssembly.promising / WebAssembly.Suspending). In the tested configuration, a JSPI-backed Promis
nvd
CVE-2026-44008P2CRITICALCVSS 9.8fixed in 3.11.22026-05-13
CVE-2026-44008 [CRITICAL] CWE-668 CVE-2026-44008: vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpecies
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and get the host Function object. This allows attack
nvd
CVE-2026-45411P2CRITICALCVSS 9.8fixed in 3.11.32026-05-13
CVE-2026-45411 [CRITICAL] CWE-668 CVE-2026-45411: vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host except
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the generator is closed using the return function, the value is awaited on and exceptions thrown in the then call will be caught by the runtime and passed to the yield* iterator as the
nvd
CVE-2026-43998P2HIGHCVSS 8.5v3.10.52026-05-13
CVE-2026-43998 [HIGH] CWE-59 CVE-2026-43998: vm2 is an open source vm/sandbox for Node.js. In 3.10.5, NodeVM's require.root path restriction can
vm2 is an open source vm/sandbox for Node.js. In 3.10.5, NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses path.resolve() (which does not dereference symlinks) but module loading uses Node's native
nvd
CVE-2026-44007P2CRITICALCVSS 9.1fixed in 3.11.12026-05-13
CVE-2026-44007 [CRITICAL] CWE-284 CVE-2026-44007: vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless of the outer VM's require configuration — including require: false. With access to vm2, the sandbox constructs a new inner NodeVM with its own unrestricted require settings and execu
nvd
1 / 2Next →