Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionCVE.org
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.
AnalysisAI
Remote code execution in vm2 (Node.js sandbox library) versions prior to 3.11.0 allows unauthenticated attackers to escape the sandbox environment via the inspect function and execute arbitrary system commands. The vulnerability exploits handler leakage through util.inspect's showProxy option to reconstruct host-realm objects and break isolation guarantees. CRITICAL: This is a complete sandbox bypass affecting all deployments using vm2 for untrusted code execution. Vendor-released patch available in version 3.11.0 with multiple commits addressing eight distinct exploitation primitives discovered during iterative disclosure.
Technical ContextAI
vm2 (cpe:2.3:a:patriksimek:vm2) is a popular Node.js library providing sandboxed JavaScript execution environments, widely used for running untrusted code in server-side applications, plugin systems, and code evaluation platforms. The vulnerability stems from CWE-94 (Improper Control of Generation of Code) in the sandbox's isolation boundary. When Node.js's util.inspect function is invoked with showProxy:true on specially crafted objects combining Buffer.prototype methods (slice, inspect, hexSlice) with custom stylize callbacks, the internal proxy handler object leaks into the inspection context's 'this.seen' array. This leaked handler exposes privileged methods (objectWrapper, fromOtherWithContext, doPreventExtensions, getFactory, direct trap access, reduce-bind chains) that can reconstruct host-realm Function constructors, bypassing the sandbox's prototype isolation. The vendor's test suite documents eight distinct exploitation chains (PoCs #1-8) discovered through iterative security research, with commits 8d30d93, bdd3d15, and fd266d0 addressing different primitive access paths. The vulnerability requires Node.js ≤22 to trigger the Buffer.prototype.inspect harvest path; Node 24+ inadvertently mitigates through stricter argument validation, though the underlying architectural flaw exists across all versions before 3.11.0.
RemediationAI
Upgrade immediately to vm2 version 3.11.0 or later (released at https://github.com/patriksimek/vm2/releases/tag/v3.11.0). The patch comprises three commits: 8d30d93213c1898b3e035298b89a814970dd1189 (test coverage for PoCs #1-6), bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c (core handler isolation fix), and fd266d084e0a3322d0f71ba2a8dc4c96cd030228 (additional hardening). No workarounds exist for a sandbox escape vulnerability - the security model depends entirely on the isolation boundary vm2 failed to enforce. Compensating controls are insufficient: input validation cannot prevent exploitation when the attacker controls code execution within the sandbox, network segmentation only limits post-exploitation lateral movement but does not prevent initial host compromise, and disabling specific Node.js APIs (util.inspect, Buffer methods) breaks legitimate vm2 functionality while attackers demonstrated eight distinct primitives suggesting additional undiscovered paths. Organizations unable to upgrade immediately must migrate to alternative sandboxing solutions (isolated-vm with V8 isolate-level separation, Docker/container-based code execution environments, or WebAssembly sandboxes) or cease accepting untrusted code for execution. Scanning npm dependency trees for 'vm2': <3.11.0 is critical given transitive dependency risk in plugin architectures.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-94 – Code Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26987
GHSA-v37h-5mfm-c47c