Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Untrusted code in the sandbox needs no host auth (PR:N) and a reliable PoC makes it low-complexity (AC:L); escape from sandbox to host is a scope change (S:C) yielding full host compromise (C/I/A:H).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
11DescriptionNVD
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.
AnalysisAI
Sandbox escape leading to remote code execution in the vm2 Node.js sandbox library affects all versions prior to 3.11.0, where the JavaScript SuppressedError mechanism (combined with DisposableStack disposal) lets untrusted code running inside the sandbox reach a host constructor and execute arbitrary commands on the underlying server. Any application that relies on vm2 to safely run attacker-controlled or untrusted JavaScript is fully compromised, with a working proof-of-concept published in the GHSA advisory. There is publicly available exploit code but no confirmed active exploitation; the SSVC framework rates it POC, automatable, with total technical impact, while EPSS remains low at 0.06%.
Technical ContextAI
vm2 (npm package 'vm2', CPE cpe:2.3:a:patriksimek:vm2) is a widely used Node.js library designed to execute untrusted JavaScript in an isolated context with controlled access to host resources - it is the security boundary itself, so any escape is critical. The root cause is CWE-94 (Improper Control of Generation of Code / code injection) realized as a sandbox-escape primitive: the ECMAScript SuppressedError object, produced when multiple disposers in a DisposableStack throw during dispose(), carries a 'suppressed' error reference whose prototype chain was not fully sanitized by vm2's bridge. By manipulating an Error's name to a Symbol and triggering stack evaluation, the attacker obtains an un-sanitized error object, walks e.suppressed.constructor.constructor to reach the host realm's Function constructor, and from there retrieves the real process object and child_process to run shell commands. This is one of 13 advisories closed in the v3.11.0 coordinated release, several of which are full sandbox-escape RCE primitives stemming from incomplete prototype/intrinsic sanitization across realm boundaries.
RemediationAI
Vendor-released patch: vm2 3.11.0 - upgrade immediately to 3.11.0 or later, which closes this SuppressedError escape along with 12 other advisories in a coordinated security release (commits 119fd0aa, 4cb82cc9, and others referenced in GHSA-55hx-c926-fr95). Because vm2's entire purpose is isolating untrusted code and multiple independent escape primitives were just disclosed, upgrading is the only robust fix; partial workarounds are unreliable. If you cannot patch instantly, the most effective compensating control is to stop feeding attacker-controlled or untrusted JavaScript into vm2 until the upgrade lands - disable or gate any feature that lets external input reach vm.run(), at the cost of losing that functionality temporarily. Given the long history of vm2 sandbox escapes, strongly consider migrating untrusted-code execution to a process- or VM-level isolation boundary (e.g. isolated-vm, a separate hardened worker process, gVisor/container, or a serverless sandbox), which provides a real OS-enforced boundary rather than an in-process JavaScript one. Refer to the GHSA advisory (https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95) and the v3.11.0 release notes for the full advisory set.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-94 – Code Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26993
GHSA-55hx-c926-fr95