Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7Blast Radius
ecosystem impact- 11 npm packages depend on vm2 (1 direct, 10 indirect)
Ecosystem-wide dependent count for version 3.10.5.
DescriptionCVE.org
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.
AnalysisAI
Sandbox escape in vm2 for Node.js allows remote unauthenticated attackers to execute arbitrary commands on the host system. The vulnerability represents an insufficient fix for CVE-2023-37466, enabling attackers to circumvent sandbox protections through multiple attack vectors including Function constructor extraction, proxy unwrapping, property descriptor manipulation, and WebAssembly JSTag exploitation. CVSS 9.8 (Critical) with EPSS data unavailable, but the existence of a detailed security advisory and comprehensive patch from GitHub indicates active vendor awareness and rapid response. Patched in version 3.10.5 with eleven distinct fixes addressing various bypass techniques.
Technical ContextAI
vm2 is a Node.js library (cpe:2.3:a:patriksimek:vm2) designed to provide sandboxed JavaScript execution environments for untrusted code. This vulnerability stems from CWE-693 (Protection Mechanism Failure), where the original security controls meant to isolate VM2 sandbox contexts from the host Node.js runtime can be bypassed. The attack surface includes multiple JavaScript language features: the Function constructor (which can compile and execute arbitrary code), Object property descriptors (getOwnPropertyDescriptor), prototype manipulation (setPrototypeOf), proxy objects that can unwrap sandbox boundaries, util.inspect internals (doPreventExtensions, getFactory), error handling mechanisms (SuppressedError), and WebAssembly's JSTag feature in Node.js 25+. The fundamental issue is that JavaScript's dynamic nature and reflective capabilities provide numerous pathways to access host-level constructors and execute code outside the intended sandbox boundary. The patch addresses eleven distinct bypass vectors discovered after the CVE-2023-37466 remediation, indicating sophisticated sandbox escape chains.
RemediationAI
Upgrade immediately to vm2 version 3.10.5 or later as documented in the release notes at https://github.com/patriksimek/vm2/releases/tag/v3.10.5. For Node.js applications, update package.json dependencies to specify vm2 ^3.10.5 or >=3.10.5 and run npm update or yarn upgrade. If immediate upgrade is not feasible, consider temporary compensating controls with significant operational impact: disable all user-supplied JavaScript execution features that rely on vm2 until patching is complete (breaks core functionality); implement strict input validation to reject code containing suspicious patterns like 'Function', 'constructor', 'prototype', '__proto__', 'Proxy', 'WebAssembly', though determined attackers can obfuscate these (bypassable, reduces usability); run vm2-dependent processes in isolated containers or VMs with minimal host access and network segmentation (adds infrastructure complexity, does not eliminate risk if container escape techniques exist); or migrate to alternative sandboxing solutions like isolated-vm or Deno's permission model (requires significant code refactoring, testing effort). Note that compensating controls for sandbox escapes are inherently weak since the core security boundary has failed - patching to 3.10.5 is the only reliable mitigation.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-693 – Protection Mechanism Failure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26986
GHSA-qvjj-29qf-hp7p