Description
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6
Scores
CVSS v3
10.0
EPSS
0.0002
EPSS Percentile
6.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (3)
npm/vm2
0 - 3.11.0npm
patriksimek/vm2
< 3.11.0
vm2_project/vm2
< 3.11.0
Published
May 13, 2026
Tracked Since
May 13, 2026