Description
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.4.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/patriksimek/vm2/security/advisories/GHSA-76w7-j9cq-rx2j
X_Refsource_Misc x_refsource_misc
https://github.com/patriksimek/vm2/commit/a462655009669c3124ee39498121651597529ea8
X_Refsource_Misc x_refsource_misc
https://github.com/patriksimek/vm2/releases/tag/v3.11.4
Scores
CVSS v3
10.0
EPSS
0.0089
EPSS Percentile
54.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-913
Status
published
Products (2)
npm/vm2
0 - 3.11.4npm
patriksimek/vm2
< 3.11.4
Published
Jun 12, 2026
Tracked Since
Jun 12, 2026