Description
vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox. Version 3.10.0 contains a patch for the issue.
References (4)
Core 4
Core References
Vendor Advisory
https://security.netapp.com/advisory/ntap-20241108-0002/
Release Notes x_refsource_misc
https://github.com/patriksimek/vm2/releases/tag/v3.10.0
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5
Scores
CVSS v3
9.8
EPSS
0.0481
EPSS Percentile
89.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (2)
npm/vm2
0 - 3.10.0npm
vm2_project/vm2
< 3.9.19
Published
Jul 14, 2023
Tracked Since
Feb 18, 2026