Description
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.
Published: 2026-05-13
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

vm2 is an open‑source virtual machine and sandbox for Node.js. Versions prior to 3.11.2 are affected by a sandbox breakout vulnerability. An error caused by a null prototype reference allows code executing inside a vm2 sandbox to escape the isolation boundary and run arbitrary instructions with the privileges of the hosting Node.js process. The weakness is classified as CWE‑668, indicating a privilege escalation that bypasses intended access controls, leading to potential compromise of confidentiality, integrity, and availability of the host application.

Affected Systems

Affected products include the patriksimek:vm2 library for Node.js, in all releases older than 3.11.2. Applications that embed this library and run untrusted code within vm2 are at risk. Any deployment that depends on an older version without applying the update is considered vulnerable.

Risk and Exploitability

The CVSS base score of 9.8 indicates critical severity, reflecting the full compromise of the host process. The EPSS score is not available, so the exploitation probability cannot be measured precisely, but the lack of listing in the CISA KEV catalog suggests no active exploits have been documented yet. The likely attack vector is local or within the Node.js environment; an attacker who can supply malicious input consumed by vm2 can trigger the null prototype exception and escape the sandbox, achieving remote code execution with the capabilities of the application process.

Generated by OpenCVE AI on May 13, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vm2 to version 3.11.2 or newer to obtain the fix for the sandbox breakout vulnerability.
  • Replace any remaining references to older vm2 releases in the application's dependency tree and rebuild the project after the upgrade.
  • If an immediate upgrade is not possible, run the vm2 sandbox under the least privileged user account and restrict its file system access to prevent a potential escape from affecting the host environment.

Generated by OpenCVE AI on May 13, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9vg3-4rfj-wgcm vm2 has Sandbox Breakout Through Null Proto Exception
History

Fri, 15 May 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Vm2 Project
Vm2 Project vm2
CPEs cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*
Vendors & Products Vm2 Project
Vm2 Project vm2

Wed, 13 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Patriksimek
Patriksimek vm2
Vendors & Products Patriksimek
Patriksimek vm2

Wed, 13 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.
Title vm2: Sandbox Breakout Through Null Proto Exception
Weaknesses CWE-668
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Patriksimek Vm2
Vm2 Project Vm2
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T03:55:59.497Z

Reserved: 2026-05-04T21:24:36.505Z

Link: CVE-2026-44009

cve-icon Vulnrichment

Updated: 2026-05-13T18:42:03.379Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T18:16:17.803

Modified: 2026-05-14T15:17:22.300

Link: CVE-2026-44009

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T20:00:04Z

Weaknesses