Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5Blast Radius
ecosystem impact- 11 npm packages depend on vm2 (1 direct, 10 indirect)
Ecosystem-wide dependent count for version 3.10.5.
DescriptionCVE.org
vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.
AnalysisAI
Full sandbox escape with arbitrary code execution allows remote attackers to break out of vm2's Node.js sandbox environment (version 3.10.4) and execute commands on the host system. Attacker-controlled code running inside VM.run() can obtain the host process object and execute arbitrary host commands without any cooperation from the host application. EPSS data not available, but this represents complete failure of the sandbox security boundary. Patch released in version 3.10.5 addresses eleven distinct escape vectors including Function constructor leakage, proxy unwrapping, util.inspect exposure, and WebAssembly exception handling.
Technical ContextAI
vm2 (cpe:2.3:a:patriksimek:vm2:*:*:*:*:*:*:*:*) is a Node.js library designed to provide sandboxed JavaScript execution environments. The vulnerability stems from CWE-693 (Protection Mechanism Failure) - specifically, multiple failures in the isolation boundary between guest and host JavaScript contexts. Version 3.10.4 contains at least eleven distinct escape paths discovered during remediation, including: Function constructor access via getOwnPropertyDescriptor, proxy handler exploitation, exposure of internal bridge methods (doPreventExtensions, getFactory) through util.inspect, nested property descriptor manipulation, SuppressedError object leakage, direct handler.get() calls, and WebAssembly.JSTag exception handling in Node 25. The sandbox relied on prototype manipulation and context isolation that could be bypassed through creative use of JavaScript reflection APIs and Node.js internals.
RemediationAI
Upgrade immediately to vm2 version 3.10.5 or later (https://github.com/patriksimek/vm2/releases/tag/v3.10.5). The patched version implements comprehensive fixes for eleven distinct sandbox escape vectors including Function constructor blocking across all access paths, proxy unwrapping prevention, util.inspect internal method sanitization, SuppressedError sub-error sanitization, and WebAssembly.JSTag blocking for Node 25 environments. No workarounds exist for version 3.10.4 - the sandbox security boundary is fundamentally broken. If immediate upgrade is impossible, disable all vm2-based code execution features until patching is complete. For defense in depth post-patch, run Node.js processes using vm2 with OS-level sandboxing (containers, seccomp, AppArmor) and minimal filesystem/network privileges, though this does not address the application-level escape. Refer to GHSA-ffh4-j6h5-pg66 for complete advisory details.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-693 – Protection Mechanism Failure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26995
GHSA-ffh4-j6h5-pg66