vm2 is an open source virtual machine sandbox for Node.js that, in versions prior to 3.11.0, allowed sandboxed code to access the host’s full absolute file system paths through its CallSite wrapper class. The wrapper blocks host object leakage for getThis() and getFunction(), but incorrectly exposes the unfiltered return value of getFileName() in stack traces, which reveals the complete directory structure, library search paths, and framework version numbers of the host server. This violates confidentiality and is identified as CWE‑209 (Information Exposure Through an Error Message).

The vulnerability affects the patriksimek:vm2 product for Node.js – any installation using a version earlier than 3.11.0 is vulnerable. No specific sub‑versions are listed; the advisory notes that all releases before 3.11.0 are impacted.

With a CVSS score of 5.8, the vulnerability carries a moderate risk. The EPSS score is not available and the issue is not listed in the CISA KEV catalog. Attackers would need the ability to execute code within the vm2 sandbox to trigger a stack trace and obtain the host paths; however, once the information is leaked, it could aid further reconnaissance attacks. The lack of an active exploit database mitigates the immediate threat, but the information disclosure remains actionable for adversaries with sandbox access.