Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/vm2@3.9.5

Type npm

Namespace

Name vm2

Version 3.9.5

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 3.11.4

Latest_non_vulnerable_version 3.11.4

Affected_by_vulnerabilities

url VCID-3srt-uk7n-xqcw

vulnerability_id VCID-3srt-uk7n-xqcw

summary Sandbox bypass in vm2

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23555.json

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23555.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-23555

reference_id

reference_type

scores

value	0.01104
scoring_system	epss
scoring_elements	0.78559
published_at	2026-06-12T12:55:00Z

value	0.01104
scoring_system	epss
scoring_elements	0.78493
published_at	2026-06-11T12:55:00Z

value	0.01104
scoring_system	epss
scoring_elements	0.78572
published_at	2026-06-14T12:55:00Z

value	0.01104
scoring_system	epss
scoring_elements	0.78577
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-23555

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://github.com/patriksimek/vm2/commit/532120d5cdec7da8225fc6242e154ebabc63fe4d

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2/commit/532120d5cdec7da8225fc6242e154ebabc63fe4d

reference_url

https://snyk.io/vuln/SNYK-JS-VM2-2309905

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JS-VM2-2309905

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2054114
reference_id	2054114
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2054114

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-23555

reference_id

CVE-2021-23555

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-23555

reference_url

https://github.com/advisories/GHSA-6pw2-5hjv-9pf7

reference_id

GHSA-6pw2-5hjv-9pf7

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-6pw2-5hjv-9pf7

fixed_packages

url pkg:npm/vm2@3.9.6

purl pkg:npm/vm2@3.9.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-55dr-v6ew-s3e8

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-6fr8-3aqn-wyce

vulnerability	VCID-6n7e-fz65-jfds

vulnerability	VCID-77zs-22q5-d7ev

vulnerability	VCID-8he7-t256-1yct

vulnerability	VCID-8pe8-9mh9-27f3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-bcct-j6mk-z7hu

vulnerability	VCID-ct4r-vjm4-4qby

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-gbh7-h2ek-hqgg

vulnerability	VCID-gvhg-db7k-57ey

vulnerability	VCID-hb4z-qz2p-rqc5

vulnerability	VCID-k9q9-7mgb-rbbf

vulnerability	VCID-kjca-h5yw-cudv

vulnerability	VCID-mqs7-x7bh-17ef

vulnerability	VCID-nkcm-wcbb-quhs

vulnerability	VCID-pucd-5ym9-1bc8

vulnerability	VCID-rm74-p6v5-wkbj

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

vulnerability	VCID-ua6c-rrsj-2kg6

vulnerability	VCID-vj51-w2rv-6qgu

vulnerability	VCID-vsvp-q6bs-3qau

vulnerability	VCID-vwem-gghh-t7hc

vulnerability	VCID-w13m-snrt-5ud3

vulnerability	VCID-wm49-3agn-rffg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.6

aliases CVE-2021-23555, GHSA-6pw2-5hjv-9pf7

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3srt-uk7n-xqcw

url VCID-55dr-v6ew-s3e8

vulnerability_id VCID-55dr-v6ew-s3e8

summary vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-44006

reference_id

reference_type

scores

value	0.00061
scoring_system	epss
scoring_elements	0.19606
published_at	2026-06-12T12:55:00Z

value	0.00061
scoring_system	epss
scoring_elements	0.19433
published_at	2026-06-11T12:55:00Z

value	0.00061
scoring_system	epss
scoring_elements	0.19627
published_at	2026-06-13T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.21055
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-44006

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L655-L658

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L655-L658

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-44006

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-44006

reference_url

https://github.com/advisories/GHSA-qcp4-v2jj-fjx8

reference_id

GHSA-qcp4-v2jj-fjx8

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-qcp4-v2jj-fjx8

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-qcp4-v2jj-fjx8

reference_id

GHSA-qcp4-v2jj-fjx8

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-13T18:09:17Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-qcp4-v2jj-fjx8

fixed_packages

url pkg:npm/vm2@3.11.0

purl pkg:npm/vm2@3.11.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0

aliases CVE-2026-44006, GHSA-qcp4-v2jj-fjx8

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-55dr-v6ew-s3e8

url VCID-598j-pe72-qkh3

vulnerability_id VCID-598j-pe72-qkh3

summary vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the generator is closed using the return function, the value is awaited on and exceptions thrown in the then call will be caught by the runtime and passed to the yield* iterator as the next value. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.3.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-45411

reference_id

reference_type

scores

value	0.00082
scoring_system	epss
scoring_elements	0.24192
published_at	2026-06-13T12:55:00Z

value	0.00082
scoring_system	epss
scoring_elements	0.23987
published_at	2026-06-11T12:55:00Z

value	0.00082
scoring_system	epss
scoring_elements	0.24183
published_at	2026-06-12T12:55:00Z

value	0.00089
scoring_system	epss
scoring_elements	0.25545
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-45411

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://github.com/patriksimek/vm2/commit/093494c0c3ef2390d2e56909f9d56e290e6f18b0

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2/commit/093494c0c3ef2390d2e56909f9d56e290e6f18b0

reference_url

https://github.com/patriksimek/vm2/releases/tag/v3.11.3

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2/releases/tag/v3.11.3

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-45411

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-45411

reference_url

https://github.com/advisories/GHSA-248r-7h7q-cr24

reference_id

GHSA-248r-7h7q-cr24

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-248r-7h7q-cr24

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-248r-7h7q-cr24

reference_id

GHSA-248r-7h7q-cr24

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-13T18:06:42Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-248r-7h7q-cr24

fixed_packages

url pkg:npm/vm2@3.11.3

purl pkg:npm/vm2@3.11.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8au2-j7az-byfp

vulnerability	VCID-c1qf-rxjq-p7hr

vulnerability	VCID-cb3t-tejn-2fcn

vulnerability	VCID-ecr5-kq87-2uez

vulnerability	VCID-etxy-bh6c-zbdv

vulnerability	VCID-kv67-9wty-p3hc

vulnerability	VCID-r9rx-mrvp-97br

vulnerability	VCID-sxnb-dxuh-hfbt

vulnerability	VCID-tdv8-2vye-cyaw

vulnerability	VCID-yg7p-bmb4-8fg7

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.3

aliases CVE-2026-45411, GHSA-248r-7h7q-cr24

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-598j-pe72-qkh3

url VCID-6fr8-3aqn-wyce

vulnerability_id VCID-6fr8-3aqn-wyce

summary vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-43997

reference_id

reference_type

scores

value	0.00022
scoring_system	epss
scoring_elements	0.06381
published_at	2026-06-11T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.06391
published_at	2026-06-13T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.06402
published_at	2026-06-12T12:55:00Z

value	0.00024
scoring_system	epss
scoring_elements	0.07003
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-43997

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-43997

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-43997

reference_url

https://github.com/advisories/GHSA-47x8-96vw-5wg6

reference_id

GHSA-47x8-96vw-5wg6

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-47x8-96vw-5wg6

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6

reference_id

GHSA-47x8-96vw-5wg6

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-13T18:39:53Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6

fixed_packages

url pkg:npm/vm2@3.11.0

purl pkg:npm/vm2@3.11.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0

aliases CVE-2026-43997, GHSA-47x8-96vw-5wg6

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6fr8-3aqn-wyce

url

VCID-6n7e-fz65-jfds

vulnerability_id

VCID-6n7e-fz65-jfds

summary

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-37903.json

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-37903.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-37903

reference_id

reference_type

scores

value	0.39507
scoring_system	epss
scoring_elements	0.97403
published_at	2026-06-12T12:55:00Z

value	0.39507
scoring_system	epss
scoring_elements	0.97406
published_at	2026-06-14T12:55:00Z

value	0.39507
scoring_system	epss
scoring_elements	0.97405
published_at	2026-06-13T12:55:00Z

value	0.40092
scoring_system	epss
scoring_elements	0.97429
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-37903

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-37903

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-37903

reference_url

https://security.netapp.com/advisory/ntap-20230831-0007

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20230831-0007

reference_url

https://security.netapp.com/advisory/ntap-20241108-0002

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20241108-0002

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2224969
reference_id	2224969
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2224969

reference_url

https://github.com/advisories/GHSA-g644-9gfx-q4q4

reference_id

GHSA-g644-9gfx-q4q4

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-g644-9gfx-q4q4

fixed_packages

aliases

CVE-2023-37903, GHSA-g644-9gfx-q4q4

risk_score

4.5

exploitability

0.5

weighted_severity

9.0

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-6n7e-fz65-jfds

url VCID-77zs-22q5-d7ev

vulnerability_id VCID-77zs-22q5-d7ev

summary vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox boundary violation in vm2 allows host object identity to cross into the sandbox through host Promise resolution. When a host-side Promise that resolves to a host object is exposed to the sandbox, the value delivered to the sandbox .then() callback preserves host identity. This allows the sandbox to interact with the host object directly, including performing identity checks using host-side WeakMap and mutating host object state from inside the sandbox. This behavior occurs because the Promise fulfillment wrapper uses ensureThis() instead of the stronger cross-realm conversion path (from() / proxy wrapping). If no prototype mapping is found, ensureThis() returns the original object. As a result, objects resolved by host Promises can cross the sandbox boundary without proper isolation. This vulnerability is fixed in 3.11.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-44000

reference_id

reference_type

scores

value	0.00047
scoring_system	epss
scoring_elements	0.14887
published_at	2026-06-11T12:55:00Z

value	0.00047
scoring_system	epss
scoring_elements	0.15006
published_at	2026-06-13T12:55:00Z

value	0.00047
scoring_system	epss
scoring_elements	0.15008
published_at	2026-06-12T12:55:00Z

value	0.00051
scoring_system	epss
scoring_elements	0.16396
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-44000

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-44000

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-44000

reference_url

https://github.com/advisories/GHSA-mpf8-4hx2-7cjg

reference_id

GHSA-mpf8-4hx2-7cjg

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-mpf8-4hx2-7cjg

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-mpf8-4hx2-7cjg

reference_id

GHSA-mpf8-4hx2-7cjg

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T18:20:50Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-mpf8-4hx2-7cjg

fixed_packages

url pkg:npm/vm2@3.11.0

purl pkg:npm/vm2@3.11.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0

aliases CVE-2026-44000, GHSA-mpf8-4hx2-7cjg

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-77zs-22q5-d7ev

url VCID-8he7-t256-1yct

vulnerability_id VCID-8he7-t256-1yct

summary vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24781.json

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24781.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-24781

reference_id

reference_type

scores

value	0.00186
scoring_system	epss
scoring_elements	0.40422
published_at	2026-06-14T12:55:00Z

value	0.00186
scoring_system	epss
scoring_elements	0.40433
published_at	2026-06-13T12:55:00Z

value	0.00186
scoring_system	epss
scoring_elements	0.40243
published_at	2026-06-11T12:55:00Z

value	0.00186
scoring_system	epss
scoring_elements	0.40411
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-24781

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-24781

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-24781

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2466531
reference_id	2466531
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2466531

reference_url

https://github.com/patriksimek/vm2/commit/8d30d93213c1898b3e035298b89a814970dd1189

reference_id

8d30d93213c1898b3e035298b89a814970dd1189

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T17:13:58Z/

url

https://github.com/patriksimek/vm2/commit/8d30d93213c1898b3e035298b89a814970dd1189

reference_url

https://github.com/patriksimek/vm2/commit/bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c

reference_id

bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T17:13:58Z/

url

https://github.com/patriksimek/vm2/commit/bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c

reference_url

https://github.com/patriksimek/vm2/commit/fd266d084e0a3322d0f71ba2a8dc4c96cd030228

reference_id

fd266d084e0a3322d0f71ba2a8dc4c96cd030228

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T17:13:58Z/

url

https://github.com/patriksimek/vm2/commit/fd266d084e0a3322d0f71ba2a8dc4c96cd030228

reference_url

https://github.com/advisories/GHSA-v37h-5mfm-c47c

reference_id

GHSA-v37h-5mfm-c47c

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-v37h-5mfm-c47c

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c

reference_id

GHSA-v37h-5mfm-c47c

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T17:13:58Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c

reference_url

https://github.com/patriksimek/vm2/releases/tag/v3.11.0

reference_id

v3.11.0

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T17:13:58Z/

url

https://github.com/patriksimek/vm2/releases/tag/v3.11.0

fixed_packages

url pkg:npm/vm2@3.11.0

purl pkg:npm/vm2@3.11.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0

aliases CVE-2026-24781, GHSA-v37h-5mfm-c47c

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8he7-t256-1yct

url VCID-8pe8-9mh9-27f3

vulnerability_id VCID-8pe8-9mh9-27f3

summary vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL variable, which exposes internal security functions (handleException, wrapWith, import). This vulnerability is fixed in 3.11.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-44003

reference_id

reference_type

scores

value	0.00049
scoring_system	epss
scoring_elements	0.1589
published_at	2026-06-13T12:55:00Z

value	0.00049
scoring_system	epss
scoring_elements	0.15743
published_at	2026-06-11T12:55:00Z

value	0.00049
scoring_system	epss
scoring_elements	0.15881
published_at	2026-06-12T12:55:00Z

value	0.00054
scoring_system	epss
scoring_elements	0.17304
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-44003

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-44003

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-44003

reference_url

https://github.com/advisories/GHSA-wp5r-2gw5-m7q7

reference_id

GHSA-wp5r-2gw5-m7q7

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-wp5r-2gw5-m7q7

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7

reference_id

GHSA-wp5r-2gw5-m7q7

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T18:40:49Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7

fixed_packages

url pkg:npm/vm2@3.11.0

purl pkg:npm/vm2@3.11.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0

aliases CVE-2026-44003, GHSA-wp5r-2gw5-m7q7

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8pe8-9mh9-27f3

url VCID-8zk3-a7sw-u7an

vulnerability_id VCID-8zk3-a7sw-u7an

summary vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-44009

reference_id

reference_type

scores

value	0.0002
scoring_system	epss
scoring_elements	0.05768
published_at	2026-06-13T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05752
published_at	2026-06-11T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05777
published_at	2026-06-12T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.0633
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-44009

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://github.com/patriksimek/vm2/releases/tag/v3.11.2

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2/releases/tag/v3.11.2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-44009

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-44009

reference_url

https://github.com/advisories/GHSA-9vg3-4rfj-wgcm

reference_id

GHSA-9vg3-4rfj-wgcm

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-9vg3-4rfj-wgcm

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-9vg3-4rfj-wgcm

reference_id

GHSA-9vg3-4rfj-wgcm

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-13T18:41:46Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-9vg3-4rfj-wgcm

fixed_packages

url pkg:npm/vm2@3.11.2

purl pkg:npm/vm2@3.11.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-598j-pe72-qkh3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.2

aliases CVE-2026-44009, GHSA-9vg3-4rfj-wgcm

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8zk3-a7sw-u7an

url VCID-bcct-j6mk-z7hu

vulnerability_id VCID-bcct-j6mk-z7hu

summary vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, sandboxed code can call Buffer.alloc() with an arbitrary size to allocate memory directly on the host heap. Because Buffer.alloc is a synchronous C++ native call, vm2's timeout option cannot interrupt it. A single request can exhaust host memory and crash the process with a FATAL ERROR: Reached heap limit. This vulnerability is fixed in 3.11.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-44004

reference_id

reference_type

scores

value	0.00052
scoring_system	epss
scoring_elements	0.16892
published_at	2026-06-12T12:55:00Z

value	0.00052
scoring_system	epss
scoring_elements	0.16741
published_at	2026-06-11T12:55:00Z

value	0.00052
scoring_system	epss
scoring_elements	0.16906
published_at	2026-06-13T12:55:00Z

value	0.00057
scoring_system	epss
scoring_elements	0.18309
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-44004

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-44004

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-44004

reference_url

https://github.com/advisories/GHSA-6785-pvv7-mvg7

reference_id

GHSA-6785-pvv7-mvg7

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-6785-pvv7-mvg7

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-6785-pvv7-mvg7

reference_id

GHSA-6785-pvv7-mvg7

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T18:07:58Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-6785-pvv7-mvg7

fixed_packages

url pkg:npm/vm2@3.11.0

purl pkg:npm/vm2@3.11.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0

aliases CVE-2026-44004, GHSA-6785-pvv7-mvg7

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bcct-j6mk-z7hu

url VCID-ct4r-vjm4-4qby

vulnerability_id VCID-ct4r-vjm4-4qby

summary vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-36067.json

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-36067.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-36067

reference_id

reference_type

scores

value	0.84468
scoring_system	epss
scoring_elements	0.99346
published_at	2026-06-14T12:55:00Z

value	0.84468
scoring_system	epss
scoring_elements	0.99347
published_at	2026-06-13T12:55:00Z

value	0.84468
scoring_system	epss
scoring_elements	0.99344
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-36067

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://security.netapp.com/advisory/ntap-20221017-0002

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20221017-0002

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2124794
reference_id	2124794
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2124794

reference_url

https://github.com/patriksimek/vm2/issues/467

reference_id

467

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:00Z/

url

https://github.com/patriksimek/vm2/issues/467

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-36067

reference_id

CVE-2022-36067

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-36067

reference_url

https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164

reference_id

d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:00Z/

url

https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164

reference_url

https://github.com/advisories/GHSA-mrgp-mrhc-5jrq

reference_id

GHSA-mrgp-mrhc-5jrq

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-mrgp-mrhc-5jrq

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrq

reference_id

GHSA-mrgp-mrhc-5jrq

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:00Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrq

reference_url

https://security.netapp.com/advisory/ntap-20221017-0002/

reference_id

ntap-20221017-0002

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:00Z/

url

https://security.netapp.com/advisory/ntap-20221017-0002/

reference_url

https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71

reference_id

setup-sandbox.js#L71

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:00Z/

url

https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71

reference_url

https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067

reference_id

vm2-sandbreak-vulnerability-cve-2022-36067

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:00Z/

url

https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067

fixed_packages

url pkg:npm/vm2@3.9.11

purl pkg:npm/vm2@3.9.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-55dr-v6ew-s3e8

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-6fr8-3aqn-wyce

vulnerability	VCID-6n7e-fz65-jfds

vulnerability	VCID-77zs-22q5-d7ev

vulnerability	VCID-8he7-t256-1yct

vulnerability	VCID-8pe8-9mh9-27f3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-bcct-j6mk-z7hu

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-gbh7-h2ek-hqgg

vulnerability	VCID-gvhg-db7k-57ey

vulnerability	VCID-hb4z-qz2p-rqc5

vulnerability	VCID-k9q9-7mgb-rbbf

vulnerability	VCID-kjca-h5yw-cudv

vulnerability	VCID-mqs7-x7bh-17ef

vulnerability	VCID-nkcm-wcbb-quhs

vulnerability	VCID-pucd-5ym9-1bc8

vulnerability	VCID-rm74-p6v5-wkbj

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

vulnerability	VCID-ua6c-rrsj-2kg6

vulnerability	VCID-vj51-w2rv-6qgu

vulnerability	VCID-vwem-gghh-t7hc

vulnerability	VCID-w13m-snrt-5ud3

vulnerability	VCID-wm49-3agn-rffg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.11

aliases CVE-2022-36067, GHSA-mrgp-mrhc-5jrq

risk_score 10.0

exploitability 2.0

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ct4r-vjm4-4qby

url VCID-g93v-7a6d-5bfm

vulnerability_id VCID-g93v-7a6d-5bfm

summary vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and get the host Function object. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.2.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-44008

reference_id

reference_type

scores

value	0.00082
scoring_system	epss
scoring_elements	0.24192
published_at	2026-06-13T12:55:00Z

value	0.00082
scoring_system	epss
scoring_elements	0.23987
published_at	2026-06-11T12:55:00Z

value	0.00082
scoring_system	epss
scoring_elements	0.24183
published_at	2026-06-12T12:55:00Z

value	0.00089
scoring_system	epss
scoring_elements	0.25545
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-44008

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://github.com/patriksimek/vm2/releases/tag/v3.11.2

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2/releases/tag/v3.11.2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-44008

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-44008

reference_url

https://github.com/advisories/GHSA-9qj6-qjgg-37qq

reference_id

GHSA-9qj6-qjgg-37qq

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-9qj6-qjgg-37qq

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-9qj6-qjgg-37qq

reference_id

GHSA-9qj6-qjgg-37qq

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-14T18:21:34Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-9qj6-qjgg-37qq

fixed_packages

url pkg:npm/vm2@3.11.2

purl pkg:npm/vm2@3.11.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-598j-pe72-qkh3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.2

aliases CVE-2026-44008, GHSA-9qj6-qjgg-37qq

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g93v-7a6d-5bfm

url VCID-gvhg-db7k-57ey

vulnerability_id VCID-gvhg-db7k-57ey

summary vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26332.json

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26332.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-26332

reference_id

reference_type

scores

value	0.00088
scoring_system	epss
scoring_elements	0.25392
published_at	2026-06-14T12:55:00Z

value	0.00088
scoring_system	epss
scoring_elements	0.25406
published_at	2026-06-13T12:55:00Z

value	0.00088
scoring_system	epss
scoring_elements	0.25389
published_at	2026-06-12T12:55:00Z

value	0.00088
scoring_system	epss
scoring_elements	0.25191
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-26332

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://github.com/patriksimek/vm2/commit/119fd0aa1e4c27b08cf37946b2dafa99e2c754f0

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2/commit/119fd0aa1e4c27b08cf37946b2dafa99e2c754f0

reference_url

https://github.com/patriksimek/vm2/commit/4cb82cc94d9bb6c9a918b45f8c6790c32a5e913f

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2/commit/4cb82cc94d9bb6c9a918b45f8c6790c32a5e913f

reference_url

https://github.com/patriksimek/vm2/commit/7395c3a4b01d302e55271c87dbeb44d6b83b81ca

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2/commit/7395c3a4b01d302e55271c87dbeb44d6b83b81ca

reference_url

https://github.com/patriksimek/vm2/commit/792e16d56ee429ab19e284ed9c545f5e4694fb7d

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2/commit/792e16d56ee429ab19e284ed9c545f5e4694fb7d

reference_url

https://github.com/patriksimek/vm2/commit/d715dd88c5aec5bbb4dce03ddf7c3eb3791d0338

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2/commit/d715dd88c5aec5bbb4dce03ddf7c3eb3791d0338

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-26332

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-26332

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2466508
reference_id	2466508
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2466508

reference_url

https://github.com/advisories/GHSA-55hx-c926-fr95

reference_id

GHSA-55hx-c926-fr95

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-55hx-c926-fr95

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95

reference_id

GHSA-55hx-c926-fr95

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T19:06:32Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95

reference_url

https://github.com/patriksimek/vm2/releases/tag/v3.11.0

reference_id

v3.11.0

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T19:06:32Z/

url

https://github.com/patriksimek/vm2/releases/tag/v3.11.0

fixed_packages

url pkg:npm/vm2@3.11.0

purl pkg:npm/vm2@3.11.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0

aliases CVE-2026-26332, GHSA-55hx-c926-fr95

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gvhg-db7k-57ey

url VCID-hb4z-qz2p-rqc5

vulnerability_id VCID-hb4z-qz2p-rqc5

summary vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 (v3.10.2) only sanitized the onRejected callback in .then() and .catch() overrides and did not address the executor-to-unhandledRejection path. This vulnerability is fixed in 3.11.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-44001

reference_id

reference_type

scores

value	0.00052
scoring_system	epss
scoring_elements	0.16892
published_at	2026-06-12T12:55:00Z

value	0.00052
scoring_system	epss
scoring_elements	0.16741
published_at	2026-06-11T12:55:00Z

value	0.00052
scoring_system	epss
scoring_elements	0.16906
published_at	2026-06-13T12:55:00Z

value	0.00057
scoring_system	epss
scoring_elements	0.18309
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-44001

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-44001

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-44001

reference_url

https://github.com/advisories/GHSA-99p7-6v5w-7xg8

reference_id

GHSA-99p7-6v5w-7xg8

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-99p7-6v5w-7xg8

reference_url

https://github.com/advisories/GHSA-hw58-p9xv-2mjh

reference_id

GHSA-hw58-p9xv-2mjh

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-hw58-p9xv-2mjh

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-hw58-p9xv-2mjh

reference_id

GHSA-hw58-p9xv-2mjh

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-18T15:16:50Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-hw58-p9xv-2mjh

fixed_packages

url pkg:npm/vm2@3.11.0

purl pkg:npm/vm2@3.11.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0

aliases CVE-2026-44001, GHSA-hw58-p9xv-2mjh

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hb4z-qz2p-rqc5

url VCID-k9q9-7mgb-rbbf

vulnerability_id VCID-k9q9-7mgb-rbbf

summary vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26956.json

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26956.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-26956

reference_id

reference_type

scores

value	0.00129
scoring_system	epss
scoring_elements	0.32075
published_at	2026-06-14T12:55:00Z

value	0.00129
scoring_system	epss
scoring_elements	0.32096
published_at	2026-06-13T12:55:00Z

value	0.00129
scoring_system	epss
scoring_elements	0.31893
published_at	2026-06-11T12:55:00Z

value	0.00129
scoring_system	epss
scoring_elements	0.32079
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-26956

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-26956

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-26956

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2466548
reference_id	2466548
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2466548

reference_url

https://github.com/advisories/GHSA-ffh4-j6h5-pg66

reference_id

GHSA-ffh4-j6h5-pg66

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-ffh4-j6h5-pg66

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66

reference_id

GHSA-ffh4-j6h5-pg66

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-05T13:09:59Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66

reference_url

https://github.com/patriksimek/vm2/releases/tag/v3.10.5

reference_id

v3.10.5

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-05T13:09:59Z/

url

https://github.com/patriksimek/vm2/releases/tag/v3.10.5

fixed_packages

url pkg:npm/vm2@3.10.5

purl pkg:npm/vm2@3.10.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-55dr-v6ew-s3e8

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-6fr8-3aqn-wyce

vulnerability	VCID-77zs-22q5-d7ev

vulnerability	VCID-88m4-3mra-mqfc

vulnerability	VCID-8he7-t256-1yct

vulnerability	VCID-8pe8-9mh9-27f3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-bcct-j6mk-z7hu

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-gbh7-h2ek-hqgg

vulnerability	VCID-gvhg-db7k-57ey

vulnerability	VCID-hb4z-qz2p-rqc5

vulnerability	VCID-kjca-h5yw-cudv

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

vulnerability	VCID-vwem-gghh-t7hc

vulnerability	VCID-x2zr-7eqd-m3b7

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.10.5

aliases CVE-2026-26956, GHSA-ffh4-j6h5-pg66

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k9q9-7mgb-rbbf

url VCID-kjca-h5yw-cudv

vulnerability_id VCID-kjca-h5yw-cudv

summary vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24118.json

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24118.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-24118

reference_id

reference_type

scores

value	0.00176
scoring_system	epss
scoring_elements	0.39156
published_at	2026-06-14T12:55:00Z

value	0.00176
scoring_system	epss
scoring_elements	0.39164
published_at	2026-06-13T12:55:00Z

value	0.00176
scoring_system	epss
scoring_elements	0.38968
published_at	2026-06-11T12:55:00Z

value	0.00176
scoring_system	epss
scoring_elements	0.3914
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-24118

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-24118

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-24118

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2466502
reference_id	2466502
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2466502

reference_url

https://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3

reference_id

2b5f3e3a060d9088f5e1cdd585d683d491f990a3

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T18:24:17Z/

url

https://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3

reference_url

https://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74

reference_id

f9b700b1c7d9ef2df416666cb24e0b659140cc74

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T18:24:17Z/

url

https://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74

reference_url

https://github.com/advisories/GHSA-grj5-jjm8-h35p

reference_id

GHSA-grj5-jjm8-h35p

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-grj5-jjm8-h35p

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p

reference_id

GHSA-grj5-jjm8-h35p

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T18:24:17Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p

reference_url

https://github.com/patriksimek/vm2/releases/tag/v3.11.0

reference_id

v3.11.0

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T18:24:17Z/

url

https://github.com/patriksimek/vm2/releases/tag/v3.11.0

fixed_packages

url pkg:npm/vm2@3.11.0

purl pkg:npm/vm2@3.11.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0

aliases CVE-2026-24118, GHSA-grj5-jjm8-h35p

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kjca-h5yw-cudv

url VCID-mqs7-x7bh-17ef

vulnerability_id VCID-mqs7-x7bh-17ef

summary vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-30547.json

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-30547.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-30547

reference_id

reference_type

scores

value	0.83683
scoring_system	epss
scoring_elements	0.99312
published_at	2026-06-13T12:55:00Z

value	0.83683
scoring_system	epss
scoring_elements	0.99311
published_at	2026-06-14T12:55:00Z

value	0.83683
scoring_system	epss
scoring_elements	0.99308
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-30547

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://github.com/patriksimek/vm2/releases/tag/3.9.17

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2/releases/tag/3.9.17

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-30547

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-30547

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2187608
reference_id	2187608
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2187608

reference_url

https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244

reference_id

381b230b04936dd4d74aaf90cc8bb244

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:29:43Z/

url

https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244

reference_url

https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049

reference_id

4b22e87b102d97d45d112a0931dba1aef7eea049

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:29:43Z/

url

https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049

reference_url

https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5

reference_id

f3db4dee4d76b19869df05ba7880d638a880edd5

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:29:43Z/

url

https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5

reference_url

https://github.com/advisories/GHSA-ch3r-j5x3-6q2m

reference_id

GHSA-ch3r-j5x3-6q2m

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-ch3r-j5x3-6q2m

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m

reference_id

GHSA-ch3r-j5x3-6q2m

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:29:43Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m

fixed_packages

url pkg:npm/vm2@3.9.17

purl pkg:npm/vm2@3.9.17

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-55dr-v6ew-s3e8

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-6fr8-3aqn-wyce

vulnerability	VCID-6n7e-fz65-jfds

vulnerability	VCID-77zs-22q5-d7ev

vulnerability	VCID-8he7-t256-1yct

vulnerability	VCID-8pe8-9mh9-27f3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-bcct-j6mk-z7hu

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-gbh7-h2ek-hqgg

vulnerability	VCID-gvhg-db7k-57ey

vulnerability	VCID-hb4z-qz2p-rqc5

vulnerability	VCID-k9q9-7mgb-rbbf

vulnerability	VCID-kjca-h5yw-cudv

vulnerability	VCID-nkcm-wcbb-quhs

vulnerability	VCID-pucd-5ym9-1bc8

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

vulnerability	VCID-ua6c-rrsj-2kg6

vulnerability	VCID-vj51-w2rv-6qgu

vulnerability	VCID-vwem-gghh-t7hc

vulnerability	VCID-wm49-3agn-rffg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.17

aliases CVE-2023-30547, GHSA-ch3r-j5x3-6q2m

risk_score 10.0

exploitability 2.0

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mqs7-x7bh-17ef

url VCID-nkcm-wcbb-quhs

vulnerability_id VCID-nkcm-wcbb-quhs

summary vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.prototype.then` is not sanitized. The return value of async functions is `globalPromise` object. Version 3.10.2 fixes the issue.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-22709

reference_id

reference_type

scores

value	0.00054
scoring_system	epss
scoring_elements	0.17446
published_at	2026-06-13T12:55:00Z

value	0.00054
scoring_system	epss
scoring_elements	0.17418
published_at	2026-06-14T12:55:00Z

value	0.00054
scoring_system	epss
scoring_elements	0.1743
published_at	2026-06-12T12:55:00Z

value	0.00054
scoring_system	epss
scoring_elements	0.17266
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-22709

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29

reference_id

4b009c2d4b1131c01810c1205e641d614c322a29

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-01-27T21:42:17Z/

url

https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-22709

reference_id

CVE-2026-22709

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-22709

reference_url

https://github.com/advisories/GHSA-99p7-6v5w-7xg8

reference_id

GHSA-99p7-6v5w-7xg8

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-99p7-6v5w-7xg8

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8

reference_id

GHSA-99p7-6v5w-7xg8

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-01-27T21:42:17Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8

reference_url

https://github.com/patriksimek/vm2/releases/tag/v3.10.2

reference_id

v3.10.2

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-01-27T21:42:17Z/

url

https://github.com/patriksimek/vm2/releases/tag/v3.10.2

fixed_packages

url pkg:npm/vm2@3.10.2

purl pkg:npm/vm2@3.10.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-55dr-v6ew-s3e8

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-6fr8-3aqn-wyce

vulnerability	VCID-77zs-22q5-d7ev

vulnerability	VCID-8he7-t256-1yct

vulnerability	VCID-8pe8-9mh9-27f3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-bcct-j6mk-z7hu

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-gbh7-h2ek-hqgg

vulnerability	VCID-gvhg-db7k-57ey

vulnerability	VCID-hb4z-qz2p-rqc5

vulnerability	VCID-k9q9-7mgb-rbbf

vulnerability	VCID-kjca-h5yw-cudv

vulnerability	VCID-pucd-5ym9-1bc8

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

vulnerability	VCID-vwem-gghh-t7hc

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.10.2

aliases CVE-2026-22709, GHSA-99p7-6v5w-7xg8

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nkcm-wcbb-quhs

url VCID-pucd-5ym9-1bc8

vulnerability_id VCID-pucd-5ym9-1bc8

summary vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24120.json

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24120.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-24120

reference_id

reference_type

scores

value	0.00129
scoring_system	epss
scoring_elements	0.3201
published_at	2026-06-14T12:55:00Z

value	0.00129
scoring_system	epss
scoring_elements	0.3203
published_at	2026-06-13T12:55:00Z

value	0.00129
scoring_system	epss
scoring_elements	0.32014
published_at	2026-06-12T12:55:00Z

value	0.00129
scoring_system	epss
scoring_elements	0.31828
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-24120

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-24120

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-24120

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2466529
reference_id	2466529
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2466529

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5

reference_id

GHSA-cchq-frgv-rjh5

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5

reference_url

https://github.com/advisories/GHSA-qvjj-29qf-hp7p

reference_id

GHSA-qvjj-29qf-hp7p

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-qvjj-29qf-hp7p

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p

reference_id

GHSA-qvjj-29qf-hp7p

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-05T01:00:04Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p

reference_url

https://github.com/patriksimek/vm2/releases/tag/v3.10.5

reference_id

v3.10.5

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-05T01:00:04Z/

url

https://github.com/patriksimek/vm2/releases/tag/v3.10.5

fixed_packages

url pkg:npm/vm2@3.10.5

purl pkg:npm/vm2@3.10.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-55dr-v6ew-s3e8

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-6fr8-3aqn-wyce

vulnerability	VCID-77zs-22q5-d7ev

vulnerability	VCID-88m4-3mra-mqfc

vulnerability	VCID-8he7-t256-1yct

vulnerability	VCID-8pe8-9mh9-27f3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-bcct-j6mk-z7hu

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-gbh7-h2ek-hqgg

vulnerability	VCID-gvhg-db7k-57ey

vulnerability	VCID-hb4z-qz2p-rqc5

vulnerability	VCID-kjca-h5yw-cudv

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

vulnerability	VCID-vwem-gghh-t7hc

vulnerability	VCID-x2zr-7eqd-m3b7

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.10.5

aliases CVE-2026-24120, GHSA-qvjj-29qf-hp7p

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pucd-5ym9-1bc8

url VCID-rm74-p6v5-wkbj

vulnerability_id VCID-rm74-p6v5-wkbj

summary There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.16` of `vm2`.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29199.json

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29199.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-29199

reference_id

reference_type

scores

value	0.18512
scoring_system	epss
scoring_elements	0.95416
published_at	2026-06-14T12:55:00Z

value	0.18512
scoring_system	epss
scoring_elements	0.95415
published_at	2026-06-13T12:55:00Z

value	0.24972
scoring_system	epss
scoring_elements	0.9629
published_at	2026-06-11T12:55:00Z

value	0.24972
scoring_system	epss
scoring_elements	0.96301
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-29199

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-29199

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-29199

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2187409
reference_id	2187409
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2187409

reference_url

https://github.com/patriksimek/vm2/commit/24c724daa7c09f003e556d7cd1c7a8381cb985d7

reference_id

24c724daa7c09f003e556d7cd1c7a8381cb985d7

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-06T18:44:31Z/

url

https://github.com/patriksimek/vm2/commit/24c724daa7c09f003e556d7cd1c7a8381cb985d7

reference_url

https://github.com/patriksimek/vm2/releases/tag/3.9.16

reference_id

3.9.16

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-06T18:44:31Z/

url

https://github.com/patriksimek/vm2/releases/tag/3.9.16

reference_url

https://github.com/patriksimek/vm2/issues/516

reference_id

516

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-06T18:44:31Z/

url

https://github.com/patriksimek/vm2/issues/516

reference_url

https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c

reference_id

f05730165799bf56d70391f3d9ea187c

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-06T18:44:31Z/

url

https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c

reference_url

https://github.com/advisories/GHSA-xj72-wvfv-8985

reference_id

GHSA-xj72-wvfv-8985

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-xj72-wvfv-8985

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985

reference_id

GHSA-xj72-wvfv-8985

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-06T18:44:31Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985

fixed_packages

url pkg:npm/vm2@3.9.16

purl pkg:npm/vm2@3.9.16

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-55dr-v6ew-s3e8

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-6fr8-3aqn-wyce

vulnerability	VCID-6n7e-fz65-jfds

vulnerability	VCID-77zs-22q5-d7ev

vulnerability	VCID-8he7-t256-1yct

vulnerability	VCID-8pe8-9mh9-27f3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-bcct-j6mk-z7hu

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-gbh7-h2ek-hqgg

vulnerability	VCID-gvhg-db7k-57ey

vulnerability	VCID-hb4z-qz2p-rqc5

vulnerability	VCID-k9q9-7mgb-rbbf

vulnerability	VCID-kjca-h5yw-cudv

vulnerability	VCID-mqs7-x7bh-17ef

vulnerability	VCID-nkcm-wcbb-quhs

vulnerability	VCID-pucd-5ym9-1bc8

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

vulnerability	VCID-ua6c-rrsj-2kg6

vulnerability	VCID-vj51-w2rv-6qgu

vulnerability	VCID-vwem-gghh-t7hc

vulnerability	VCID-wm49-3agn-rffg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.16

aliases CVE-2023-29199, GHSA-xj72-wvfv-8985

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rm74-p6v5-wkbj

url VCID-rt16-s8w5-8qgy

vulnerability_id VCID-rt16-s8w5-8qgy

summary vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless of the outer VM's require configuration — including require: false. With access to vm2, the sandbox constructs a new inner NodeVM with its own unrestricted require settings and executes arbitrary OS commands on the host. Any application that runs untrusted code inside a NodeVM with nesting: true is fully compromised. This vulnerability is fixed in 3.11.1.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-44007

reference_id

reference_type

scores

value	0.00047
scoring_system	epss
scoring_elements	0.15083
published_at	2026-06-11T12:55:00Z

value	0.00047
scoring_system	epss
scoring_elements	0.15211
published_at	2026-06-13T12:55:00Z

value	0.00047
scoring_system	epss
scoring_elements	0.15207
published_at	2026-06-12T12:55:00Z

value	0.00051
scoring_system	epss
scoring_elements	0.166
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-44007

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://github.com/patriksimek/vm2/releases/tag/v3.11.1

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2/releases/tag/v3.11.1

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-44007

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-44007

reference_url

http://www.openwall.com/lists/oss-security/2026/05/05/11

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2026/05/05/11

reference_url

https://github.com/advisories/GHSA-8hg8-63c5-gwmx

reference_id

GHSA-8hg8-63c5-gwmx

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8hg8-63c5-gwmx

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-8hg8-63c5-gwmx

reference_id

GHSA-8hg8-63c5-gwmx

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-15T03:55:57Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-8hg8-63c5-gwmx

fixed_packages

url pkg:npm/vm2@3.11.1

purl pkg:npm/vm2@3.11.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-tvb2-2e76-27av

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.1

aliases CVE-2026-44007, GHSA-8hg8-63c5-gwmx

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rt16-s8w5-8qgy

url VCID-tvb2-2e76-27av

vulnerability_id VCID-tvb2-2e76-27av

summary

vm2 has access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`
### Summary

https://github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7 is not fully patched.

### Details

It is still possible to get access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`.

### PoC

```js
const {VM} = require("vm2");
const vm = new VM();
console.log(vm.run(`
 globalThis['VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL']
`));
```

references

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://github.com/patriksimek/vm2/releases/tag/v3.11.2

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2/releases/tag/v3.11.2

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-2cm2-m3w5-gp2f

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-2cm2-m3w5-gp2f

reference_url

https://github.com/advisories/GHSA-2cm2-m3w5-gp2f

reference_id

GHSA-2cm2-m3w5-gp2f

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-2cm2-m3w5-gp2f

fixed_packages

url pkg:npm/vm2@3.11.2

purl pkg:npm/vm2@3.11.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-598j-pe72-qkh3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.2

aliases GHSA-2cm2-m3w5-gp2f

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tvb2-2e76-27av

url VCID-ua6c-rrsj-2kg6

vulnerability_id VCID-ua6c-rrsj-2kg6

summary vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32314.json

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32314.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-32314

reference_id

reference_type

scores

value	0.61685
scoring_system	epss
scoring_elements	0.98369
published_at	2026-06-14T12:55:00Z

value	0.61685
scoring_system	epss
scoring_elements	0.98368
published_at	2026-06-12T12:55:00Z

value	0.61685
scoring_system	epss
scoring_elements	0.98362
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-32314

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-32314

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-32314

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2208376
reference_id	2208376
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2208376

reference_url

https://github.com/patriksimek/vm2/releases/tag/3.9.18

reference_id

3.9.18

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-22T21:42:22Z/

url

https://github.com/patriksimek/vm2/releases/tag/3.9.18

reference_url

https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf

reference_id

d88105f99752305c5b8a77b63ddee3ec86912daf

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-22T21:42:22Z/

url

https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf

reference_url

https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac

reference_id

e9f5cf5782dec8321095be3e52acf5ac

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-22T21:42:22Z/

url

https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac

reference_url

https://github.com/advisories/GHSA-whpj-8f3w-67p5

reference_id

GHSA-whpj-8f3w-67p5

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-whpj-8f3w-67p5

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5

reference_id

GHSA-whpj-8f3w-67p5

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-22T21:42:22Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5

fixed_packages

url pkg:npm/vm2@3.9.18

purl pkg:npm/vm2@3.9.18

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-55dr-v6ew-s3e8

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-6fr8-3aqn-wyce

vulnerability	VCID-6n7e-fz65-jfds

vulnerability	VCID-77zs-22q5-d7ev

vulnerability	VCID-8he7-t256-1yct

vulnerability	VCID-8pe8-9mh9-27f3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-bcct-j6mk-z7hu

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-gbh7-h2ek-hqgg

vulnerability	VCID-gvhg-db7k-57ey

vulnerability	VCID-hb4z-qz2p-rqc5

vulnerability	VCID-k9q9-7mgb-rbbf

vulnerability	VCID-kjca-h5yw-cudv

vulnerability	VCID-nkcm-wcbb-quhs

vulnerability	VCID-pucd-5ym9-1bc8

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

vulnerability	VCID-vwem-gghh-t7hc

vulnerability	VCID-wm49-3agn-rffg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.18

aliases CVE-2023-32314, GHSA-whpj-8f3w-67p5

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ua6c-rrsj-2kg6

url VCID-vj51-w2rv-6qgu

vulnerability_id VCID-vj51-w2rv-6qgu

summary vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. As a result a threat actor can edit options for the `console.log` command. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. Users unable to upgrade may make the `inspect` method readonly with `vm.readonly(inspect)` after creating a vm.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32313.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32313.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-32313

reference_id

reference_type

scores

value	0.00712
scoring_system	epss
scoring_elements	0.7277
published_at	2026-06-11T12:55:00Z

value	0.00712
scoring_system	epss
scoring_elements	0.72846
published_at	2026-06-12T12:55:00Z

value	0.01556
scoring_system	epss
scoring_elements	0.81921
published_at	2026-06-14T12:55:00Z

value	0.01556
scoring_system	epss
scoring_elements	0.81929
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-32313

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-32313

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-32313

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2208377
reference_id	2208377
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2208377

reference_url

https://github.com/patriksimek/vm2/releases/tag/3.9.18

reference_id

3.9.18

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-22T21:42:52Z/

url

https://github.com/patriksimek/vm2/releases/tag/3.9.18

reference_url

https://github.com/patriksimek/vm2/commit/5206ba25afd86ef547a2c9d48d46ca7a9e6ec238

reference_id

5206ba25afd86ef547a2c9d48d46ca7a9e6ec238

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-22T21:42:52Z/

url

https://github.com/patriksimek/vm2/commit/5206ba25afd86ef547a2c9d48d46ca7a9e6ec238

reference_url

https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550

reference_id

c1c57eaf3e0a649af1a70c2b93b17550

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-22T21:42:52Z/

url

https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550

reference_url

https://github.com/advisories/GHSA-p5gc-c584-jj6v

reference_id

GHSA-p5gc-c584-jj6v

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-p5gc-c584-jj6v

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v

reference_id

GHSA-p5gc-c584-jj6v

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-22T21:42:52Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v

fixed_packages

url pkg:npm/vm2@3.9.18

purl pkg:npm/vm2@3.9.18

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-55dr-v6ew-s3e8

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-6fr8-3aqn-wyce

vulnerability	VCID-6n7e-fz65-jfds

vulnerability	VCID-77zs-22q5-d7ev

vulnerability	VCID-8he7-t256-1yct

vulnerability	VCID-8pe8-9mh9-27f3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-bcct-j6mk-z7hu

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-gbh7-h2ek-hqgg

vulnerability	VCID-gvhg-db7k-57ey

vulnerability	VCID-hb4z-qz2p-rqc5

vulnerability	VCID-k9q9-7mgb-rbbf

vulnerability	VCID-kjca-h5yw-cudv

vulnerability	VCID-nkcm-wcbb-quhs

vulnerability	VCID-pucd-5ym9-1bc8

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

vulnerability	VCID-vwem-gghh-t7hc

vulnerability	VCID-wm49-3agn-rffg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.18

aliases CVE-2023-32313, GHSA-p5gc-c584-jj6v

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vj51-w2rv-6qgu

url VCID-vsvp-q6bs-3qau

vulnerability_id VCID-vsvp-q6bs-3qau

summary

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-25893

reference_id

reference_type

scores

value	0.00495
scoring_system	epss
scoring_elements	0.66203
published_at	2026-06-11T12:55:00Z

value	0.00495
scoring_system	epss
scoring_elements	0.66297
published_at	2026-06-12T12:55:00Z

value	0.00495
scoring_system	epss
scoring_elements	0.66311
published_at	2026-06-13T12:55:00Z

value	0.00495
scoring_system	epss
scoring_elements	0.66309
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-25893

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://github.com/patriksimek/vm2/issues/444

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2/issues/444

reference_url

https://github.com/patriksimek/vm2/pull/445

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2/pull/445

reference_url

https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-25893

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-25893

reference_url

https://security.snyk.io/vuln/SNYK-JS-VM2-2990237

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://security.snyk.io/vuln/SNYK-JS-VM2-2990237

reference_url

https://github.com/advisories/GHSA-4w2j-2rg4-5mjw

reference_id

GHSA-4w2j-2rg4-5mjw

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-4w2j-2rg4-5mjw

fixed_packages

url pkg:npm/vm2@3.9.10

purl pkg:npm/vm2@3.9.10

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-55dr-v6ew-s3e8

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-6fr8-3aqn-wyce

vulnerability	VCID-6n7e-fz65-jfds

vulnerability	VCID-77zs-22q5-d7ev

vulnerability	VCID-8he7-t256-1yct

vulnerability	VCID-8pe8-9mh9-27f3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-bcct-j6mk-z7hu

vulnerability	VCID-ct4r-vjm4-4qby

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-gbh7-h2ek-hqgg

vulnerability	VCID-gvhg-db7k-57ey

vulnerability	VCID-hb4z-qz2p-rqc5

vulnerability	VCID-k9q9-7mgb-rbbf

vulnerability	VCID-kjca-h5yw-cudv

vulnerability	VCID-mqs7-x7bh-17ef

vulnerability	VCID-nkcm-wcbb-quhs

vulnerability	VCID-pucd-5ym9-1bc8

vulnerability	VCID-rm74-p6v5-wkbj

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

vulnerability	VCID-ua6c-rrsj-2kg6

vulnerability	VCID-vj51-w2rv-6qgu

vulnerability	VCID-vwem-gghh-t7hc

vulnerability	VCID-w13m-snrt-5ud3

vulnerability	VCID-wm49-3agn-rffg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.10

aliases CVE-2022-25893, GHSA-4w2j-2rg4-5mjw

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vsvp-q6bs-3qau

url VCID-vwem-gghh-t7hc

vulnerability_id VCID-vwem-gghh-t7hc

summary vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's CallSite wrapper class (intended as a safe wrapper for V8's native CallSite) blocks getThis() and getFunction() to prevent host object leakage, but allows getFileName() to return unsanitized host absolute paths. Any sandboxed code can extract the full directory structure, library paths, and framework versions of the host server. This vulnerability is fixed in 3.11.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-44002

reference_id

reference_type

scores

value	0.00036
scoring_system	epss
scoring_elements	0.11155
published_at	2026-06-12T12:55:00Z

value	0.00036
scoring_system	epss
scoring_elements	0.11089
published_at	2026-06-11T12:55:00Z

value	0.00036
scoring_system	epss
scoring_elements	0.11149
published_at	2026-06-13T12:55:00Z

value	0.00039
scoring_system	epss
scoring_elements	0.12184
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-44002

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-44002

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-44002

reference_url

https://github.com/advisories/GHSA-v27g-jcqj-v8rw

reference_id

GHSA-v27g-jcqj-v8rw

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-v27g-jcqj-v8rw

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-v27g-jcqj-v8rw

reference_id

GHSA-v27g-jcqj-v8rw

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-14T18:23:24Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-v27g-jcqj-v8rw

fixed_packages

url pkg:npm/vm2@3.11.0

purl pkg:npm/vm2@3.11.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0

aliases CVE-2026-44002, GHSA-v27g-jcqj-v8rw

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vwem-gghh-t7hc

url VCID-w13m-snrt-5ud3

vulnerability_id VCID-w13m-snrt-5ud3

summary vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29017.json

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29017.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-29017

reference_id

reference_type

scores

value	0.70647
scoring_system	epss
scoring_elements	0.98725
published_at	2026-06-14T12:55:00Z

value	0.70647
scoring_system	epss
scoring_elements	0.98724
published_at	2026-06-13T12:55:00Z

value	0.74958
scoring_system	epss
scoring_elements	0.98891
published_at	2026-06-11T12:55:00Z

value	0.74958
scoring_system	epss
scoring_elements	0.98895
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-29017

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-29017

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-29017

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2185374
reference_id	2185374
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2185374

reference_url

https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d

reference_id

2a44e082001b959bfe304b62121fb76d

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-10T16:10:48Z/

url

https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d

reference_url

https://github.com/patriksimek/vm2/issues/515

reference_id

515

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-10T16:10:48Z/

url

https://github.com/patriksimek/vm2/issues/515

reference_url

https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50

reference_id

d534e5785f38307b70d3aac1945260a261a94d50

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-10T16:10:48Z/

url

https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50

reference_url

https://github.com/advisories/GHSA-7jxr-cg7f-gpgv

reference_id

GHSA-7jxr-cg7f-gpgv

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-7jxr-cg7f-gpgv

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv

reference_id

GHSA-7jxr-cg7f-gpgv

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-10T16:10:48Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv

fixed_packages

url pkg:npm/vm2@3.9.15

purl pkg:npm/vm2@3.9.15

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-55dr-v6ew-s3e8

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-6fr8-3aqn-wyce

vulnerability	VCID-6n7e-fz65-jfds

vulnerability	VCID-77zs-22q5-d7ev

vulnerability	VCID-8he7-t256-1yct

vulnerability	VCID-8pe8-9mh9-27f3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-bcct-j6mk-z7hu

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-gbh7-h2ek-hqgg

vulnerability	VCID-gvhg-db7k-57ey

vulnerability	VCID-hb4z-qz2p-rqc5

vulnerability	VCID-k9q9-7mgb-rbbf

vulnerability	VCID-kjca-h5yw-cudv

vulnerability	VCID-mqs7-x7bh-17ef

vulnerability	VCID-nkcm-wcbb-quhs

vulnerability	VCID-pucd-5ym9-1bc8

vulnerability	VCID-rm74-p6v5-wkbj

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

vulnerability	VCID-ua6c-rrsj-2kg6

vulnerability	VCID-vj51-w2rv-6qgu

vulnerability	VCID-vwem-gghh-t7hc

vulnerability	VCID-wm49-3agn-rffg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.15

aliases CVE-2023-29017, GHSA-7jxr-cg7f-gpgv

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-w13m-snrt-5ud3

url VCID-wm49-3agn-rffg

vulnerability_id VCID-wm49-3agn-rffg

summary vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox. Version 3.10.0 contains a patch for the issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-37466.json

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-37466.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-37466

reference_id

reference_type

scores

value	0.04929
scoring_system	epss
scoring_elements	0.8985
published_at	2026-06-11T12:55:00Z

value	0.04929
scoring_system	epss
scoring_elements	0.89887
published_at	2026-06-14T12:55:00Z

value	0.04929
scoring_system	epss
scoring_elements	0.89883
published_at	2026-06-12T12:55:00Z

value	0.04929
scoring_system	epss
scoring_elements	0.89889
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-37466

reference_url

https://gist.github.com/leesh3288/f693061e6523c97274ad5298eb2c74e9

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://gist.github.com/leesh3288/f693061e6523c97274ad5298eb2c74e9

reference_url

https://github.com/patriksimek/vm2

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/patriksimek/vm2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-37466

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-37466

reference_url

https://security.netapp.com/advisory/ntap-20230831-0007

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20230831-0007

reference_url

https://security.netapp.com/advisory/ntap-20241108-0002

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20241108-0002

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2232376
reference_id	2232376
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2232376

reference_url

https://github.com/patriksimek/vm2/commit/d9a1fde8ec5a5a9c9e5a69bf91d703950859d744

reference_id

d9a1fde8ec5a5a9c9e5a69bf91d703950859d744

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-15T17:36:22Z/

url

https://github.com/patriksimek/vm2/commit/d9a1fde8ec5a5a9c9e5a69bf91d703950859d744

reference_url

https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5

reference_id

GHSA-cchq-frgv-rjh5

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-15T17:36:22Z/

url

https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5

reference_url

https://github.com/patriksimek/vm2/releases/tag/v3.10.0

reference_id

v3.10.0

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-15T17:36:22Z/

url

https://github.com/patriksimek/vm2/releases/tag/v3.10.0

fixed_packages

url pkg:npm/vm2@3.10.0

purl pkg:npm/vm2@3.10.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-55dr-v6ew-s3e8

vulnerability	VCID-598j-pe72-qkh3

vulnerability	VCID-6fr8-3aqn-wyce

vulnerability	VCID-77zs-22q5-d7ev

vulnerability	VCID-8he7-t256-1yct

vulnerability	VCID-8pe8-9mh9-27f3

vulnerability	VCID-8zk3-a7sw-u7an

vulnerability	VCID-bcct-j6mk-z7hu

vulnerability	VCID-g93v-7a6d-5bfm

vulnerability	VCID-gbh7-h2ek-hqgg

vulnerability	VCID-gvhg-db7k-57ey

vulnerability	VCID-hb4z-qz2p-rqc5

vulnerability	VCID-k9q9-7mgb-rbbf

vulnerability	VCID-kjca-h5yw-cudv

vulnerability	VCID-nkcm-wcbb-quhs

vulnerability	VCID-pucd-5ym9-1bc8

vulnerability	VCID-rt16-s8w5-8qgy

vulnerability	VCID-tvb2-2e76-27av

vulnerability	VCID-vwem-gghh-t7hc

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.10.0

aliases CVE-2023-37466, GHSA-cchq-frgv-rjh5

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wm49-3agn-rffg

Fixing_vulnerabilities

Risk_score 10.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.5

Package Instance