Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/patriksimek/vm2).
CVSS VectorVendor: https://github.com/patriksimek/vm2
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 88 npm packages depend on vm2 (4 direct, 84 indirect)
Ecosystem-wide dependent count for version 3.11.4.
DescriptionCVE.org
Summary
NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin.
The following builtins are not blocked by the dangerous builtin denylist:
diagnostics_channel
async_hooks
perf_hooksThese modules are process-wide, not sandbox-local. Sandboxed code can use them to observe host application data across the vm2 boundary.
Note: It is a host data exposure issue. The impact depends on whether the host application allows these builtins and uses HTTP, async request context, diagnostics channels, or performance marks in the same process.
Details
Non-denied builtins are exposed to the sandbox through lib/builtin.js:
builtins.set(key, special ? special : vm => vm.readonly(hostRequire(key)));diagnostics_channel, async_hooks, and perf_hooks are not denied. These modules expose host process state rather than sandbox-local state.
Confirmed examples:
diagnostics_channellets sandboxed code subscribe to Node.js HTTP diagnostic channels such ashttp.server.request.start. The sandbox receives host HTTP request objects and can read headers such asAuthorizationor session tokens.async_hooks.executionAsyncResource()lets sandboxed code read the current hostAsyncResource. If the host stores request/user data on that resource, the sandbox can read it.perf_hooks.performance.getEntriesByType('mark')lets sandboxed code read host performance timeline entries.
PoC
Run from the vm2 repository root:
node poc/observability-builtins-info-leak.jsobservability-builtins-info-leak.js
The PoC uses only the specific builtin being tested in each section.
It confirms:
diagnostics_channel: sandbox reads host HTTP request headers
async_hooks: sandbox reads host AsyncResource data
perf_hooks: sandbox reads host performance mark namesExample impact from the PoC:
authorization: Bearer HOST_HTTP_SECRET_...
x-session-token: HOST_HTTP_SECRET_...These values are sent to a host HTTP server, but the sandbox reads them through diagnostics_channel.
<img width="997" height="566" alt="Screenshot 2026-05-10 at 1 13 20 PM" src="https://github.com/user-attachments/assets/36a7d600-8b53-4bfe-ab06-4e6dcfad5015" />
Impact
An attacker who can run untrusted JavaScript inside NodeVM with affected builtin settings can observe data from the host process.
In a real application, this may expose HTTP request headers, authorization tokens, session tokens, request context values, user identifiers, or other sensitive diagnostics data from the host application or from other users.
Suggested fix
Treat process-wide observability modules as dangerous builtins for untrusted sandboxes.
At minimum, consider blocking:
diagnostics_channel
async_hooks
perf_hooksThese modules are not sandbox-local and can expose host process state across the vm2 boundary.
AnalysisAI
Host process data leakage in vm2 (npm/vm2 <= 3.11.3) allows untrusted JavaScript executing inside a NodeVM sandbox to read sensitive host-process state - including HTTP Authorization headers, session tokens, and AsyncLocalStorage request context - by requiring process-wide observability builtins that were incorrectly absent from the DANGEROUS_BUILTINS denylist. The affected modules (diagnostics_channel, async_hooks, perf_hooks) are Node.js process-wide singletons, not sandbox-local constructs, so granting sandbox access to them exposes all host process data flowing through those channels. A publicly available exploit code exists confirming extraction of Bearer tokens and x-session-token headers from live host HTTP requests; this is not confirmed actively exploited (not in CISA KEV).
Technical ContextAI
vm2 is a widely-used Node.js sandboxing library (pkg:npm/vm2) that restricts untrusted JavaScript by filtering access to Node.js built-in modules through a DANGEROUS_BUILTINS denylist enforced in lib/builtin.js. CWE-668 (Exposure of Resource to Wrong Sphere) is the root cause: the affected modules - diagnostics_channel, async_hooks, and perf_hooks - are process-wide singletons, not sandbox-local constructs. When allowed through require.builtin, diagnostics_channel enables subscription to Node.js internal HTTP lifecycle events (e.g., http.server.request.start), yielding full IncomingMessage objects with all headers; async_hooks.executionAsyncResource() exposes the current host AsyncResource or AsyncLocalStorage context, commonly used by host applications to propagate per-request identity and credentials; and perf_hooks.performance.getEntriesByType('mark') enumerates host performance timeline entries. The commit diff also reveals that v8 (heap snapshot/query access) was included in the same fix, extending the threat surface beyond what the original advisory description enumerated. Prior enforcement via BUILTIN_MODULES filter and addDefaultBuiltin rejection correctly blocked modules in the original DANGEROUS_BUILTINS list but left these four modules unaddressed.
RemediationAI
Upgrade vm2 to version 3.11.4 (vendor-released patch: 3.11.4), which extends the DANGEROUS_BUILTINS denylist in lib/builtin.js to include diagnostics_channel, async_hooks, perf_hooks, and v8, reusing the existing two-layer enforcement (BUILTIN_MODULES filter and addDefaultBuiltin rejection with family-prefix and node:-normalised matching via isDangerousBuiltin). The patch commit is at https://github.com/patriksimek/vm2/commit/e1c48fce05189f48e71efbd32af0754efa4066bb and the release at https://github.com/patriksimek/vm2/releases/tag/v3.11.4. The fix preserves mock and override escape hatches, so legitimate uses of these modules via controlled configuration are unaffected. If immediate upgrade is not feasible, audit all NodeVM instantiation sites and explicitly exclude diagnostics_channel, async_hooks, perf_hooks, and v8 from any require.builtin allowlist - removing them from the list prevents sandbox access to these modules without requiring the library patch. As an architectural compensating control, run NodeVM sandboxes in isolated child processes or worker threads with no shared event loop with the host HTTP server; this prevents cross-process access to diagnostic channels entirely, though it introduces IPC latency overhead. Do not rely on application-level filtering of sandbox output alone, as the data exposure occurs inside the sandbox before any output is returned.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-668 – Exposure of Resource to Wrong Sphere
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36449
GHSA-9g8x-92q2-p28f