Description
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.
Published: 2026-05-04
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a sandbox escape flaw in vm2, an open‑source Node.js virtual machine. SuppressedError objects can be exploited to break out of the isolated environment, allowing an attacker to execute arbitrary code with the same privileges as the host process. This represents a critical integrity and confidentiality breach. The weakness is rooted in improper error handling and code injection controls (CWE-693, CWE-94).

Affected Systems

The affected product is Patriksimek’s vm2 library, and any deployment that uses a version older than 3.11.0 is susceptible. The issue exists across all builds of vm2 released before the 3.11.0 patch, regardless of Node.js runtime version. Systems that embed vm2 for sandboxing external or untrusted code should investigate their current library version.

Risk and Exploitability

The CVSS base score of 9.8 signals an extremely severe risk. Although no EPSS score is published, the absence of a numeric value does not diminish the high likelihood that a determined attacker who can control or influence the vm2 input will succeed. The vulnerability is not yet recorded in CISA’s KEV catalog, indicating no widespread exploitation has been confirmed, yet the combination of a high severity rating and the ability to run arbitrary code makes it a priority target for attackers. A likely attack vector involves supplying crafted code that triggers a SuppressedError during vm2 execution, leading to sandbox escape and code execution in the host context.

Generated by OpenCVE AI on May 4, 2026 at 18:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the vm2 library to version 3.11.0 or later, which contains the defensive fix for SuppressedError handling.
  • If an immediate upgrade is not feasible, remove or replace any usage of SuppressedError within the application, ensuring that error handling does not traverse the sandbox boundary.
  • Restrict untrusted code execution to isolated processes or alternative sandboxing mechanisms, and enforce strict runtime access controls to limit the privileges of any potential escapees.

Generated by OpenCVE AI on May 4, 2026 at 18:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Patriksimek
Patriksimek vm2
Vendors & Products Patriksimek
Patriksimek vm2
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.
Title vm2: Sandbox Escape
Weaknesses CWE-693
CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Patriksimek Vm2
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T19:06:53.442Z

Reserved: 2026-02-13T16:27:51.810Z

Link: CVE-2026-26332

cve-icon Vulnrichment

Updated: 2026-05-04T19:06:03.857Z

cve-icon NVD

Status : Received

Published: 2026-05-04T17:16:22.403

Modified: 2026-05-04T20:16:17.207

Link: CVE-2026-26332

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:00:07Z

Weaknesses