Filtered by vendor Patriksimek
Subscriptions
Filtered by product Vm2
Subscriptions
Total
29 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-44003 | 2 Patriksimek, Vm2 Project | 2 Vm2, Vm2 | 2026-05-14 | 5.3 Medium |
| vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL variable, which exposes internal security functions (handleException, wrapWith, import). This vulnerability is fixed in 3.11.0. | ||||
| CVE-2026-44004 | 2 Patriksimek, Vm2 Project | 2 Vm2, Vm2 | 2026-05-14 | 7.5 High |
| vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, sandboxed code can call Buffer.alloc() with an arbitrary size to allocate memory directly on the host heap. Because Buffer.alloc is a synchronous C++ native call, vm2's timeout option cannot interrupt it. A single request can exhaust host memory and crash the process with a FATAL ERROR: Reached heap limit. This vulnerability is fixed in 3.11.0. | ||||
| CVE-2026-44006 | 2 Patriksimek, Vm2 Project | 2 Vm2, Vm2 | 2026-05-14 | 10 Critical |
| vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0. | ||||
| CVE-2026-24118 | 2 Patriksimek, Vm2 Project | 2 Vm2, Vm2 | 2026-05-08 | 9.8 Critical |
| vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0. | ||||
| CVE-2026-24120 | 2 Patriksimek, Vm2 Project | 2 Vm2, Vm2 | 2026-05-08 | 9.8 Critical |
| vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5. | ||||
| CVE-2026-24781 | 2 Patriksimek, Vm2 Project | 2 Vm2, Vm2 | 2026-05-08 | 9.8 Critical |
| vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0. | ||||
| CVE-2026-26956 | 2 Patriksimek, Vm2 Project | 2 Vm2, Vm2 | 2026-05-08 | 9.8 Critical |
| vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5. | ||||
| CVE-2026-26332 | 2 Patriksimek, Vm2 Project | 2 Vm2, Vm2 | 2026-05-06 | 9.8 Critical |
| vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0. | ||||
| CVE-2026-22709 | 2 Patriksimek, Vm2 Project | 2 Vm2, Vm2 | 2026-04-18 | 9.8 Critical |
| vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.prototype.then` is not sanitized. The return value of async functions is `globalPromise` object. Version 3.10.2 fixes the issue. | ||||