Vm2
Monthly
Sandbox escape in vm2 (patriksimek/vm2) versions prior to 3.11.3 enables remote code execution on the host Node.js process by abusing async generator `yield*` semantics to smuggle a host-realm exception into sandbox code, where the attacker pivots through `.constructor.constructor` to reach `process` and `child_process.execSync`. The flaw is exploitable by any attacker who can run JavaScript inside the sandbox, has publicly available exploit code, and carries SSVC technical impact 'total' with automatable=yes, though EPSS remains low at 0.05% (17th percentile) and the CVE is not listed in CISA KEV.
Sandbox escape in vm2 Node.js sandbox before 3.10.2 via Promise.prototype.then/catch callback sanitization bypass. PoC and patch available.
Sandbox escape in vm2 (patriksimek/vm2) versions prior to 3.11.3 enables remote code execution on the host Node.js process by abusing async generator `yield*` semantics to smuggle a host-realm exception into sandbox code, where the attacker pivots through `.constructor.constructor` to reach `process` and `child_process.execSync`. The flaw is exploitable by any attacker who can run JavaScript inside the sandbox, has publicly available exploit code, and carries SSVC technical impact 'total' with automatable=yes, though EPSS remains low at 0.05% (17th percentile) and the CVE is not listed in CISA KEV.
Sandbox escape in vm2 Node.js sandbox before 3.10.2 via Promise.prototype.then/catch callback sanitization bypass. PoC and patch available.