Description
The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.
References (2)
Core 2
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-VM2-2309905
Patch, Third Party Advisory x_refsource_misc
https://github.com/patriksimek/vm2/commit/532120d5cdec7da8225fc6242e154ebabc63fe4d
Scores
CVSS v3
9.8
EPSS
0.0113
EPSS Percentile
78.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (2)
npm/vm2
0 - 3.9.6npm
vm2_project/vm2
< 3.9.6
Published
Feb 11, 2022
Tracked Since
Feb 18, 2026