CVE-2022-36067

CRITICAL

vm2 <3.9.11 - Remote Code Execution

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-36067. PoCs published by Prathamrajgor, 0x1nsomnia.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2022-36067, leveraging a prototype pollution vulnerability in the vm2 sandbox to achieve remote code execution (RCE). The exploit manipulates the Error object's prepareStackTrace method to bypass sandbox restrictions and execute arbitrary commands.

Description

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.

Exploits (2)

nomisec WORKING POC 7 stars

by Prathamrajgor · poc

https://github.com/Prathamrajgor/Exploit-For-CVE-2022-36067

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-36067, leveraging a prototype pollution vulnerability in the vm2 sandbox to achieve remote code execution (RCE). The exploit manipulates the Error object's prepareStackTrace method to bypass sandbox restrictions and execute arbitrary commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vm2 (versions < 3.9.11)

No auth needed

Prerequisites: Node.js environment with vulnerable vm2 version installed

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 2 stars

by 0x1nsomnia · poc

https://github.com/0x1nsomnia/CVE-2022-36067-vm2-POC-webapp