Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/539215?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/539215?format=api", "purl": "pkg:npm/vm2@3.9.5", "type": "npm", "namespace": "", "name": "vm2", "version": "3.9.5", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.11.4", "latest_non_vulnerable_version": "3.11.4", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/208135?format=api", "vulnerability_id": "VCID-3srt-uk7n-xqcw", "summary": "Sandbox bypass in vm2", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23555.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23555.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-23555", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01104", "scoring_system": "epss", "scoring_elements": "0.78559", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.01104", "scoring_system": "epss", "scoring_elements": "0.78493", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.01104", "scoring_system": "epss", "scoring_elements": "0.78572", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.01104", "scoring_system": "epss", "scoring_elements": "0.78577", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-23555" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/532120d5cdec7da8225fc6242e154ebabc63fe4d", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/commit/532120d5cdec7da8225fc6242e154ebabc63fe4d" }, { "reference_url": "https://snyk.io/vuln/SNYK-JS-VM2-2309905", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-JS-VM2-2309905" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2054114", "reference_id": "2054114", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2054114" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23555", "reference_id": "CVE-2021-23555", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23555" }, { "reference_url": "https://github.com/advisories/GHSA-6pw2-5hjv-9pf7", "reference_id": "GHSA-6pw2-5hjv-9pf7", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6pw2-5hjv-9pf7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19330?format=api", "purl": "pkg:npm/vm2@3.9.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-55dr-v6ew-s3e8" }, { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-6fr8-3aqn-wyce" }, { "vulnerability": "VCID-6n7e-fz65-jfds" }, { "vulnerability": "VCID-77zs-22q5-d7ev" }, { "vulnerability": "VCID-8he7-t256-1yct" }, { "vulnerability": "VCID-8pe8-9mh9-27f3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-bcct-j6mk-z7hu" }, { "vulnerability": "VCID-ct4r-vjm4-4qby" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-gbh7-h2ek-hqgg" }, { "vulnerability": "VCID-gvhg-db7k-57ey" }, { "vulnerability": "VCID-hb4z-qz2p-rqc5" }, { "vulnerability": "VCID-k9q9-7mgb-rbbf" }, { "vulnerability": "VCID-kjca-h5yw-cudv" }, { "vulnerability": "VCID-mqs7-x7bh-17ef" }, { "vulnerability": "VCID-nkcm-wcbb-quhs" }, { "vulnerability": "VCID-pucd-5ym9-1bc8" }, { "vulnerability": "VCID-rm74-p6v5-wkbj" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" }, { "vulnerability": "VCID-ua6c-rrsj-2kg6" }, { "vulnerability": "VCID-vj51-w2rv-6qgu" }, { "vulnerability": "VCID-vsvp-q6bs-3qau" }, { "vulnerability": "VCID-vwem-gghh-t7hc" }, { "vulnerability": "VCID-w13m-snrt-5ud3" }, { "vulnerability": "VCID-wm49-3agn-rffg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.6" } ], "aliases": [ "CVE-2021-23555", "GHSA-6pw2-5hjv-9pf7" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3srt-uk7n-xqcw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67986?format=api", "vulnerability_id": "VCID-55dr-v6ew-s3e8", "summary": "vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44006", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19606", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19433", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19627", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.21055", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44006" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L655-L658", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L655-L658" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44006", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44006" }, { "reference_url": "https://github.com/advisories/GHSA-qcp4-v2jj-fjx8", "reference_id": "GHSA-qcp4-v2jj-fjx8", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qcp4-v2jj-fjx8" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-qcp4-v2jj-fjx8", "reference_id": "GHSA-qcp4-v2jj-fjx8", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-13T18:09:17Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-qcp4-v2jj-fjx8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375381?format=api", "purl": "pkg:npm/vm2@3.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0" } ], "aliases": [ "CVE-2026-44006", "GHSA-qcp4-v2jj-fjx8" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-55dr-v6ew-s3e8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69768?format=api", "vulnerability_id": "VCID-598j-pe72-qkh3", "summary": "vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the generator is closed using the return function, the value is awaited on and exceptions thrown in the then call will be caught by the runtime and passed to the yield* iterator as the next value. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.3.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45411", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00082", "scoring_system": "epss", "scoring_elements": "0.24192", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00082", "scoring_system": "epss", "scoring_elements": "0.23987", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00082", "scoring_system": "epss", "scoring_elements": "0.24183", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00089", "scoring_system": "epss", "scoring_elements": "0.25545", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45411" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/093494c0c3ef2390d2e56909f9d56e290e6f18b0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/commit/093494c0c3ef2390d2e56909f9d56e290e6f18b0" }, { "reference_url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45411", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45411" }, { "reference_url": "https://github.com/advisories/GHSA-248r-7h7q-cr24", "reference_id": "GHSA-248r-7h7q-cr24", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-248r-7h7q-cr24" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-248r-7h7q-cr24", "reference_id": "GHSA-248r-7h7q-cr24", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-13T18:06:42Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-248r-7h7q-cr24" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/41719?format=api", "purl": "pkg:npm/vm2@3.11.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8au2-j7az-byfp" }, { "vulnerability": "VCID-c1qf-rxjq-p7hr" }, { "vulnerability": "VCID-cb3t-tejn-2fcn" }, { "vulnerability": "VCID-ecr5-kq87-2uez" }, { "vulnerability": "VCID-etxy-bh6c-zbdv" }, { "vulnerability": "VCID-kv67-9wty-p3hc" }, { "vulnerability": "VCID-r9rx-mrvp-97br" }, { "vulnerability": "VCID-sxnb-dxuh-hfbt" }, { "vulnerability": "VCID-tdv8-2vye-cyaw" }, { "vulnerability": "VCID-yg7p-bmb4-8fg7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.3" } ], "aliases": [ "CVE-2026-45411", "GHSA-248r-7h7q-cr24" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-598j-pe72-qkh3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65489?format=api", "vulnerability_id": "VCID-6fr8-3aqn-wyce", "summary": "vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43997", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06381", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06391", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06402", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07003", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43997" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43997", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43997" }, { "reference_url": "https://github.com/advisories/GHSA-47x8-96vw-5wg6", "reference_id": "GHSA-47x8-96vw-5wg6", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-47x8-96vw-5wg6" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6", "reference_id": "GHSA-47x8-96vw-5wg6", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-13T18:39:53Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375381?format=api", "purl": "pkg:npm/vm2@3.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0" } ], "aliases": [ "CVE-2026-43997", "GHSA-47x8-96vw-5wg6" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6fr8-3aqn-wyce" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/356249?format=api", "vulnerability_id": "VCID-6n7e-fz65-jfds", "summary": "", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-37903.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-37903.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-37903", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.39507", "scoring_system": "epss", "scoring_elements": "0.97403", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.39507", "scoring_system": "epss", "scoring_elements": "0.97406", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.39507", "scoring_system": "epss", "scoring_elements": "0.97405", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.40092", "scoring_system": "epss", "scoring_elements": "0.97429", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-37903" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37903", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37903" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20230831-0007", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20230831-0007" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20241108-0002", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20241108-0002" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2224969", "reference_id": "2224969", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2224969" }, { "reference_url": "https://github.com/advisories/GHSA-g644-9gfx-q4q4", "reference_id": "GHSA-g644-9gfx-q4q4", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g644-9gfx-q4q4" } ], "fixed_packages": [], "aliases": [ "CVE-2023-37903", "GHSA-g644-9gfx-q4q4" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6n7e-fz65-jfds" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/68045?format=api", "vulnerability_id": "VCID-77zs-22q5-d7ev", "summary": "vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox boundary violation in vm2 allows host object identity to cross into the sandbox through host Promise resolution. When a host-side Promise that resolves to a host object is exposed to the sandbox, the value delivered to the sandbox .then() callback preserves host identity. This allows the sandbox to interact with the host object directly, including performing identity checks using host-side WeakMap and mutating host object state from inside the sandbox. This behavior occurs because the Promise fulfillment wrapper uses ensureThis() instead of the stronger cross-realm conversion path (from() / proxy wrapping). If no prototype mapping is found, ensureThis() returns the original object. As a result, objects resolved by host Promises can cross the sandbox boundary without proper isolation. This vulnerability is fixed in 3.11.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44000", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.14887", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.15006", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.15008", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16396", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44000" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44000", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44000" }, { "reference_url": "https://github.com/advisories/GHSA-mpf8-4hx2-7cjg", "reference_id": "GHSA-mpf8-4hx2-7cjg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mpf8-4hx2-7cjg" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-mpf8-4hx2-7cjg", "reference_id": "GHSA-mpf8-4hx2-7cjg", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T18:20:50Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-mpf8-4hx2-7cjg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375381?format=api", "purl": "pkg:npm/vm2@3.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0" } ], "aliases": [ "CVE-2026-44000", "GHSA-mpf8-4hx2-7cjg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-77zs-22q5-d7ev" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/82746?format=api", "vulnerability_id": "VCID-8he7-t256-1yct", "summary": "vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24781.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24781.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24781", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00186", "scoring_system": "epss", "scoring_elements": "0.40422", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00186", "scoring_system": "epss", "scoring_elements": "0.40433", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00186", "scoring_system": "epss", "scoring_elements": "0.40243", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00186", "scoring_system": "epss", "scoring_elements": "0.40411", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24781" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24781", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24781" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466531", "reference_id": "2466531", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466531" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/8d30d93213c1898b3e035298b89a814970dd1189", "reference_id": "8d30d93213c1898b3e035298b89a814970dd1189", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T17:13:58Z/" } ], "url": "https://github.com/patriksimek/vm2/commit/8d30d93213c1898b3e035298b89a814970dd1189" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c", "reference_id": "bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T17:13:58Z/" } ], "url": "https://github.com/patriksimek/vm2/commit/bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/fd266d084e0a3322d0f71ba2a8dc4c96cd030228", "reference_id": "fd266d084e0a3322d0f71ba2a8dc4c96cd030228", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T17:13:58Z/" } ], "url": "https://github.com/patriksimek/vm2/commit/fd266d084e0a3322d0f71ba2a8dc4c96cd030228" }, { "reference_url": "https://github.com/advisories/GHSA-v37h-5mfm-c47c", "reference_id": "GHSA-v37h-5mfm-c47c", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v37h-5mfm-c47c" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c", "reference_id": "GHSA-v37h-5mfm-c47c", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T17:13:58Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c" }, { "reference_url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0", "reference_id": "v3.11.0", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T17:13:58Z/" } ], "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375381?format=api", "purl": "pkg:npm/vm2@3.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0" } ], "aliases": [ "CVE-2026-24781", "GHSA-v37h-5mfm-c47c" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8he7-t256-1yct" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67728?format=api", "vulnerability_id": "VCID-8pe8-9mh9-27f3", "summary": "vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL variable, which exposes internal security functions (handleException, wrapWith, import). This vulnerability is fixed in 3.11.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44003", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00049", "scoring_system": "epss", "scoring_elements": "0.1589", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00049", "scoring_system": "epss", "scoring_elements": "0.15743", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00049", "scoring_system": "epss", "scoring_elements": "0.15881", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17304", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44003" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44003", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44003" }, { "reference_url": "https://github.com/advisories/GHSA-wp5r-2gw5-m7q7", "reference_id": "GHSA-wp5r-2gw5-m7q7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wp5r-2gw5-m7q7" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7", "reference_id": "GHSA-wp5r-2gw5-m7q7", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T18:40:49Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375381?format=api", "purl": "pkg:npm/vm2@3.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0" } ], "aliases": [ "CVE-2026-44003", "GHSA-wp5r-2gw5-m7q7" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8pe8-9mh9-27f3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67806?format=api", "vulnerability_id": "VCID-8zk3-a7sw-u7an", "summary": "vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44009", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05768", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05752", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05777", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.0633", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44009" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44009", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44009" }, { "reference_url": "https://github.com/advisories/GHSA-9vg3-4rfj-wgcm", "reference_id": "GHSA-9vg3-4rfj-wgcm", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9vg3-4rfj-wgcm" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-9vg3-4rfj-wgcm", "reference_id": "GHSA-9vg3-4rfj-wgcm", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-13T18:41:46Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-9vg3-4rfj-wgcm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375365?format=api", "purl": "pkg:npm/vm2@3.11.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-598j-pe72-qkh3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.2" } ], "aliases": [ "CVE-2026-44009", "GHSA-9vg3-4rfj-wgcm" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8zk3-a7sw-u7an" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67682?format=api", "vulnerability_id": "VCID-bcct-j6mk-z7hu", "summary": "vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, sandboxed code can call Buffer.alloc() with an arbitrary size to allocate memory directly on the host heap. Because Buffer.alloc is a synchronous C++ native call, vm2's timeout option cannot interrupt it. A single request can exhaust host memory and crash the process with a FATAL ERROR: Reached heap limit. This vulnerability is fixed in 3.11.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44004", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16892", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16741", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16906", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00057", "scoring_system": "epss", "scoring_elements": "0.18309", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44004" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44004", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44004" }, { "reference_url": "https://github.com/advisories/GHSA-6785-pvv7-mvg7", "reference_id": "GHSA-6785-pvv7-mvg7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6785-pvv7-mvg7" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-6785-pvv7-mvg7", "reference_id": "GHSA-6785-pvv7-mvg7", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T18:07:58Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-6785-pvv7-mvg7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375381?format=api", "purl": "pkg:npm/vm2@3.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0" } ], "aliases": [ "CVE-2026-44004", "GHSA-6785-pvv7-mvg7" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bcct-j6mk-z7hu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/166970?format=api", "vulnerability_id": "VCID-ct4r-vjm4-4qby", "summary": "vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-36067.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-36067.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-36067", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.84468", "scoring_system": "epss", "scoring_elements": "0.99346", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.84468", "scoring_system": "epss", "scoring_elements": "0.99347", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.84468", "scoring_system": "epss", "scoring_elements": "0.99344", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-36067" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20221017-0002", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20221017-0002" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124794", "reference_id": "2124794", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124794" }, { "reference_url": "https://github.com/patriksimek/vm2/issues/467", "reference_id": "467", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:00Z/" } ], "url": "https://github.com/patriksimek/vm2/issues/467" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36067", "reference_id": "CVE-2022-36067", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36067" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164", "reference_id": "d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:00Z/" } ], "url": "https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164" }, { "reference_url": "https://github.com/advisories/GHSA-mrgp-mrhc-5jrq", "reference_id": "GHSA-mrgp-mrhc-5jrq", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mrgp-mrhc-5jrq" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrq", "reference_id": "GHSA-mrgp-mrhc-5jrq", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:00Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrq" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20221017-0002/", "reference_id": "ntap-20221017-0002", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:00Z/" } ], "url": "https://security.netapp.com/advisory/ntap-20221017-0002/" }, { "reference_url": "https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71", "reference_id": "setup-sandbox.js#L71", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:00Z/" } ], "url": "https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71" }, { "reference_url": "https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067", "reference_id": "vm2-sandbreak-vulnerability-cve-2022-36067", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:00Z/" } ], "url": "https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/27148?format=api", "purl": "pkg:npm/vm2@3.9.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-55dr-v6ew-s3e8" }, { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-6fr8-3aqn-wyce" }, { "vulnerability": "VCID-6n7e-fz65-jfds" }, { "vulnerability": "VCID-77zs-22q5-d7ev" }, { "vulnerability": "VCID-8he7-t256-1yct" }, { "vulnerability": "VCID-8pe8-9mh9-27f3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-bcct-j6mk-z7hu" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-gbh7-h2ek-hqgg" }, { "vulnerability": "VCID-gvhg-db7k-57ey" }, { "vulnerability": "VCID-hb4z-qz2p-rqc5" }, { "vulnerability": "VCID-k9q9-7mgb-rbbf" }, { "vulnerability": "VCID-kjca-h5yw-cudv" }, { "vulnerability": "VCID-mqs7-x7bh-17ef" }, { "vulnerability": "VCID-nkcm-wcbb-quhs" }, { "vulnerability": "VCID-pucd-5ym9-1bc8" }, { "vulnerability": "VCID-rm74-p6v5-wkbj" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" }, { "vulnerability": "VCID-ua6c-rrsj-2kg6" }, { "vulnerability": "VCID-vj51-w2rv-6qgu" }, { "vulnerability": "VCID-vwem-gghh-t7hc" }, { "vulnerability": "VCID-w13m-snrt-5ud3" }, { "vulnerability": "VCID-wm49-3agn-rffg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.11" } ], "aliases": [ "CVE-2022-36067", "GHSA-mrgp-mrhc-5jrq" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ct4r-vjm4-4qby" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67932?format=api", "vulnerability_id": "VCID-g93v-7a6d-5bfm", "summary": "vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and get the host Function object. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44008", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00082", "scoring_system": "epss", "scoring_elements": "0.24192", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00082", "scoring_system": "epss", "scoring_elements": "0.23987", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00082", "scoring_system": "epss", "scoring_elements": "0.24183", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00089", "scoring_system": "epss", "scoring_elements": "0.25545", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44008" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44008", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44008" }, { "reference_url": "https://github.com/advisories/GHSA-9qj6-qjgg-37qq", "reference_id": "GHSA-9qj6-qjgg-37qq", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9qj6-qjgg-37qq" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-9qj6-qjgg-37qq", "reference_id": "GHSA-9qj6-qjgg-37qq", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-14T18:21:34Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-9qj6-qjgg-37qq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375365?format=api", "purl": "pkg:npm/vm2@3.11.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-598j-pe72-qkh3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.2" } ], "aliases": [ "CVE-2026-44008", "GHSA-9qj6-qjgg-37qq" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g93v-7a6d-5bfm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70820?format=api", "vulnerability_id": "VCID-gvhg-db7k-57ey", "summary": "vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26332.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26332.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26332", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25392", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25406", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25389", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25191", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26332" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/119fd0aa1e4c27b08cf37946b2dafa99e2c754f0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/commit/119fd0aa1e4c27b08cf37946b2dafa99e2c754f0" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/4cb82cc94d9bb6c9a918b45f8c6790c32a5e913f", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/commit/4cb82cc94d9bb6c9a918b45f8c6790c32a5e913f" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/7395c3a4b01d302e55271c87dbeb44d6b83b81ca", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/commit/7395c3a4b01d302e55271c87dbeb44d6b83b81ca" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/792e16d56ee429ab19e284ed9c545f5e4694fb7d", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/commit/792e16d56ee429ab19e284ed9c545f5e4694fb7d" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/d715dd88c5aec5bbb4dce03ddf7c3eb3791d0338", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/commit/d715dd88c5aec5bbb4dce03ddf7c3eb3791d0338" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26332", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26332" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466508", "reference_id": "2466508", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466508" }, { "reference_url": "https://github.com/advisories/GHSA-55hx-c926-fr95", "reference_id": "GHSA-55hx-c926-fr95", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-55hx-c926-fr95" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95", "reference_id": "GHSA-55hx-c926-fr95", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T19:06:32Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95" }, { "reference_url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0", "reference_id": "v3.11.0", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T19:06:32Z/" } ], "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375381?format=api", "purl": "pkg:npm/vm2@3.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0" } ], "aliases": [ "CVE-2026-26332", "GHSA-55hx-c926-fr95" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gvhg-db7k-57ey" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67951?format=api", "vulnerability_id": "VCID-hb4z-qz2p-rqc5", "summary": "vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 (v3.10.2) only sanitized the onRejected callback in .then() and .catch() overrides and did not address the executor-to-unhandledRejection path. This vulnerability is fixed in 3.11.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44001", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16892", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16741", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16906", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00057", "scoring_system": "epss", "scoring_elements": "0.18309", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44001" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44001", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44001" }, { "reference_url": "https://github.com/advisories/GHSA-99p7-6v5w-7xg8", "reference_id": "GHSA-99p7-6v5w-7xg8", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-99p7-6v5w-7xg8" }, { "reference_url": "https://github.com/advisories/GHSA-hw58-p9xv-2mjh", "reference_id": "GHSA-hw58-p9xv-2mjh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hw58-p9xv-2mjh" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-hw58-p9xv-2mjh", "reference_id": "GHSA-hw58-p9xv-2mjh", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-18T15:16:50Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-hw58-p9xv-2mjh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375381?format=api", "purl": "pkg:npm/vm2@3.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0" } ], "aliases": [ "CVE-2026-44001", "GHSA-hw58-p9xv-2mjh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hb4z-qz2p-rqc5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71039?format=api", "vulnerability_id": "VCID-k9q9-7mgb-rbbf", "summary": "vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26956.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26956.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26956", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00129", "scoring_system": "epss", "scoring_elements": "0.32075", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00129", "scoring_system": "epss", "scoring_elements": "0.32096", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00129", "scoring_system": "epss", "scoring_elements": "0.31893", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00129", "scoring_system": "epss", "scoring_elements": "0.32079", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26956" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26956", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26956" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466548", "reference_id": "2466548", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466548" }, { "reference_url": "https://github.com/advisories/GHSA-ffh4-j6h5-pg66", "reference_id": "GHSA-ffh4-j6h5-pg66", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-ffh4-j6h5-pg66" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66", "reference_id": "GHSA-ffh4-j6h5-pg66", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-05T13:09:59Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66" }, { "reference_url": "https://github.com/patriksimek/vm2/releases/tag/v3.10.5", "reference_id": "v3.10.5", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-05T13:09:59Z/" } ], "url": "https://github.com/patriksimek/vm2/releases/tag/v3.10.5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375356?format=api", "purl": "pkg:npm/vm2@3.10.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-55dr-v6ew-s3e8" }, { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-6fr8-3aqn-wyce" }, { "vulnerability": "VCID-77zs-22q5-d7ev" }, { "vulnerability": "VCID-88m4-3mra-mqfc" }, { "vulnerability": "VCID-8he7-t256-1yct" }, { "vulnerability": "VCID-8pe8-9mh9-27f3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-bcct-j6mk-z7hu" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-gbh7-h2ek-hqgg" }, { "vulnerability": "VCID-gvhg-db7k-57ey" }, { "vulnerability": "VCID-hb4z-qz2p-rqc5" }, { "vulnerability": "VCID-kjca-h5yw-cudv" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" }, { "vulnerability": "VCID-vwem-gghh-t7hc" }, { "vulnerability": "VCID-x2zr-7eqd-m3b7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.10.5" } ], "aliases": [ "CVE-2026-26956", "GHSA-ffh4-j6h5-pg66" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k9q9-7mgb-rbbf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/82947?format=api", "vulnerability_id": "VCID-kjca-h5yw-cudv", "summary": "vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24118.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24118.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24118", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.39156", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.39164", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.38968", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.3914", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24118" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24118", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24118" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466502", "reference_id": "2466502", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466502" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3", "reference_id": "2b5f3e3a060d9088f5e1cdd585d683d491f990a3", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T18:24:17Z/" } ], "url": "https://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74", "reference_id": "f9b700b1c7d9ef2df416666cb24e0b659140cc74", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T18:24:17Z/" } ], "url": "https://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74" }, { "reference_url": "https://github.com/advisories/GHSA-grj5-jjm8-h35p", "reference_id": "GHSA-grj5-jjm8-h35p", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-grj5-jjm8-h35p" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p", "reference_id": "GHSA-grj5-jjm8-h35p", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T18:24:17Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p" }, { "reference_url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0", "reference_id": "v3.11.0", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T18:24:17Z/" } ], "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375381?format=api", "purl": "pkg:npm/vm2@3.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0" } ], "aliases": [ "CVE-2026-24118", "GHSA-grj5-jjm8-h35p" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kjca-h5yw-cudv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/129987?format=api", "vulnerability_id": "VCID-mqs7-x7bh-17ef", "summary": "vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-30547.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-30547.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-30547", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.83683", "scoring_system": "epss", "scoring_elements": "0.99312", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.83683", "scoring_system": "epss", "scoring_elements": "0.99311", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.83683", "scoring_system": "epss", "scoring_elements": "0.99308", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-30547" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://github.com/patriksimek/vm2/releases/tag/3.9.17", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/releases/tag/3.9.17" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30547", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30547" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2187608", "reference_id": "2187608", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2187608" }, { "reference_url": "https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244", "reference_id": "381b230b04936dd4d74aaf90cc8bb244", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:29:43Z/" } ], "url": "https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049", "reference_id": "4b22e87b102d97d45d112a0931dba1aef7eea049", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:29:43Z/" } ], "url": "https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5", "reference_id": "f3db4dee4d76b19869df05ba7880d638a880edd5", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:29:43Z/" } ], "url": "https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5" }, { "reference_url": "https://github.com/advisories/GHSA-ch3r-j5x3-6q2m", "reference_id": "GHSA-ch3r-j5x3-6q2m", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-ch3r-j5x3-6q2m" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m", "reference_id": "GHSA-ch3r-j5x3-6q2m", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:29:43Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/379377?format=api", "purl": "pkg:npm/vm2@3.9.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-55dr-v6ew-s3e8" }, { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-6fr8-3aqn-wyce" }, { "vulnerability": "VCID-6n7e-fz65-jfds" }, { "vulnerability": "VCID-77zs-22q5-d7ev" }, { "vulnerability": "VCID-8he7-t256-1yct" }, { "vulnerability": "VCID-8pe8-9mh9-27f3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-bcct-j6mk-z7hu" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-gbh7-h2ek-hqgg" }, { "vulnerability": "VCID-gvhg-db7k-57ey" }, { "vulnerability": "VCID-hb4z-qz2p-rqc5" }, { "vulnerability": "VCID-k9q9-7mgb-rbbf" }, { "vulnerability": "VCID-kjca-h5yw-cudv" }, { "vulnerability": "VCID-nkcm-wcbb-quhs" }, { "vulnerability": "VCID-pucd-5ym9-1bc8" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" }, { "vulnerability": "VCID-ua6c-rrsj-2kg6" }, { "vulnerability": "VCID-vj51-w2rv-6qgu" }, { "vulnerability": "VCID-vwem-gghh-t7hc" }, { "vulnerability": "VCID-wm49-3agn-rffg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.17" } ], "aliases": [ "CVE-2023-30547", "GHSA-ch3r-j5x3-6q2m" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mqs7-x7bh-17ef" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/83370?format=api", "vulnerability_id": "VCID-nkcm-wcbb-quhs", "summary": "vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.prototype.then` is not sanitized. The return value of async functions is `globalPromise` object. Version 3.10.2 fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22709", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17446", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17418", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.1743", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17266", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22709" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29", "reference_id": "4b009c2d4b1131c01810c1205e641d614c322a29", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-01-27T21:42:17Z/" } ], "url": "https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22709", "reference_id": "CVE-2026-22709", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22709" }, { "reference_url": "https://github.com/advisories/GHSA-99p7-6v5w-7xg8", "reference_id": "GHSA-99p7-6v5w-7xg8", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-99p7-6v5w-7xg8" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8", "reference_id": "GHSA-99p7-6v5w-7xg8", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-01-27T21:42:17Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8" }, { "reference_url": "https://github.com/patriksimek/vm2/releases/tag/v3.10.2", "reference_id": "v3.10.2", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-01-27T21:42:17Z/" } ], "url": "https://github.com/patriksimek/vm2/releases/tag/v3.10.2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38164?format=api", "purl": "pkg:npm/vm2@3.10.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-55dr-v6ew-s3e8" }, { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-6fr8-3aqn-wyce" }, { "vulnerability": "VCID-77zs-22q5-d7ev" }, { "vulnerability": "VCID-8he7-t256-1yct" }, { "vulnerability": "VCID-8pe8-9mh9-27f3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-bcct-j6mk-z7hu" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-gbh7-h2ek-hqgg" }, { "vulnerability": "VCID-gvhg-db7k-57ey" }, { "vulnerability": "VCID-hb4z-qz2p-rqc5" }, { "vulnerability": "VCID-k9q9-7mgb-rbbf" }, { "vulnerability": "VCID-kjca-h5yw-cudv" }, { "vulnerability": "VCID-pucd-5ym9-1bc8" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" }, { "vulnerability": "VCID-vwem-gghh-t7hc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.10.2" } ], "aliases": [ "CVE-2026-22709", "GHSA-99p7-6v5w-7xg8" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nkcm-wcbb-quhs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/83213?format=api", "vulnerability_id": "VCID-pucd-5ym9-1bc8", "summary": "vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24120.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24120.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24120", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00129", "scoring_system": "epss", "scoring_elements": "0.3201", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00129", "scoring_system": "epss", "scoring_elements": "0.3203", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00129", "scoring_system": "epss", "scoring_elements": "0.32014", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00129", "scoring_system": "epss", "scoring_elements": "0.31828", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24120" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24120", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24120" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466529", "reference_id": "2466529", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466529" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5", "reference_id": "GHSA-cchq-frgv-rjh5", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5" }, { "reference_url": "https://github.com/advisories/GHSA-qvjj-29qf-hp7p", "reference_id": "GHSA-qvjj-29qf-hp7p", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qvjj-29qf-hp7p" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p", "reference_id": "GHSA-qvjj-29qf-hp7p", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-05T01:00:04Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p" }, { "reference_url": "https://github.com/patriksimek/vm2/releases/tag/v3.10.5", "reference_id": "v3.10.5", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-05T01:00:04Z/" } ], "url": "https://github.com/patriksimek/vm2/releases/tag/v3.10.5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375356?format=api", "purl": "pkg:npm/vm2@3.10.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-55dr-v6ew-s3e8" }, { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-6fr8-3aqn-wyce" }, { "vulnerability": "VCID-77zs-22q5-d7ev" }, { "vulnerability": "VCID-88m4-3mra-mqfc" }, { "vulnerability": "VCID-8he7-t256-1yct" }, { "vulnerability": "VCID-8pe8-9mh9-27f3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-bcct-j6mk-z7hu" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-gbh7-h2ek-hqgg" }, { "vulnerability": "VCID-gvhg-db7k-57ey" }, { "vulnerability": "VCID-hb4z-qz2p-rqc5" }, { "vulnerability": "VCID-kjca-h5yw-cudv" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" }, { "vulnerability": "VCID-vwem-gghh-t7hc" }, { "vulnerability": "VCID-x2zr-7eqd-m3b7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.10.5" } ], "aliases": [ "CVE-2026-24120", "GHSA-qvjj-29qf-hp7p" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pucd-5ym9-1bc8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/140478?format=api", "vulnerability_id": "VCID-rm74-p6v5-wkbj", "summary": "There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.16` of `vm2`.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29199.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29199.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29199", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.18512", "scoring_system": "epss", "scoring_elements": "0.95416", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.18512", "scoring_system": "epss", "scoring_elements": "0.95415", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.24972", "scoring_system": "epss", "scoring_elements": "0.9629", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.24972", "scoring_system": "epss", "scoring_elements": "0.96301", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29199" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29199", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29199" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2187409", "reference_id": "2187409", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2187409" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/24c724daa7c09f003e556d7cd1c7a8381cb985d7", "reference_id": "24c724daa7c09f003e556d7cd1c7a8381cb985d7", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-06T18:44:31Z/" } ], "url": "https://github.com/patriksimek/vm2/commit/24c724daa7c09f003e556d7cd1c7a8381cb985d7" }, { "reference_url": "https://github.com/patriksimek/vm2/releases/tag/3.9.16", "reference_id": "3.9.16", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-06T18:44:31Z/" } ], "url": "https://github.com/patriksimek/vm2/releases/tag/3.9.16" }, { "reference_url": "https://github.com/patriksimek/vm2/issues/516", "reference_id": "516", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-06T18:44:31Z/" } ], "url": "https://github.com/patriksimek/vm2/issues/516" }, { "reference_url": "https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c", "reference_id": "f05730165799bf56d70391f3d9ea187c", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-06T18:44:31Z/" } ], "url": "https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c" }, { "reference_url": "https://github.com/advisories/GHSA-xj72-wvfv-8985", "reference_id": "GHSA-xj72-wvfv-8985", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xj72-wvfv-8985" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985", "reference_id": "GHSA-xj72-wvfv-8985", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-06T18:44:31Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/379392?format=api", "purl": "pkg:npm/vm2@3.9.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-55dr-v6ew-s3e8" }, { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-6fr8-3aqn-wyce" }, { "vulnerability": "VCID-6n7e-fz65-jfds" }, { "vulnerability": "VCID-77zs-22q5-d7ev" }, { "vulnerability": "VCID-8he7-t256-1yct" }, { "vulnerability": "VCID-8pe8-9mh9-27f3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-bcct-j6mk-z7hu" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-gbh7-h2ek-hqgg" }, { "vulnerability": "VCID-gvhg-db7k-57ey" }, { "vulnerability": "VCID-hb4z-qz2p-rqc5" }, { "vulnerability": "VCID-k9q9-7mgb-rbbf" }, { "vulnerability": "VCID-kjca-h5yw-cudv" }, { "vulnerability": "VCID-mqs7-x7bh-17ef" }, { "vulnerability": "VCID-nkcm-wcbb-quhs" }, { "vulnerability": "VCID-pucd-5ym9-1bc8" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" }, { "vulnerability": "VCID-ua6c-rrsj-2kg6" }, { "vulnerability": "VCID-vj51-w2rv-6qgu" }, { "vulnerability": "VCID-vwem-gghh-t7hc" }, { "vulnerability": "VCID-wm49-3agn-rffg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.16" } ], "aliases": [ "CVE-2023-29199", "GHSA-xj72-wvfv-8985" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rm74-p6v5-wkbj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67672?format=api", "vulnerability_id": "VCID-rt16-s8w5-8qgy", "summary": "vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless of the outer VM's require configuration — including require: false. With access to vm2, the sandbox constructs a new inner NodeVM with its own unrestricted require settings and executes arbitrary OS commands on the host. Any application that runs untrusted code inside a NodeVM with nesting: true is fully compromised. This vulnerability is fixed in 3.11.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44007", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.15083", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.15211", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.15207", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.166", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44007" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44007", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44007" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/05/05/11", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/05/05/11" }, { "reference_url": "https://github.com/advisories/GHSA-8hg8-63c5-gwmx", "reference_id": "GHSA-8hg8-63c5-gwmx", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8hg8-63c5-gwmx" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-8hg8-63c5-gwmx", "reference_id": "GHSA-8hg8-63c5-gwmx", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-15T03:55:57Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-8hg8-63c5-gwmx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375840?format=api", "purl": "pkg:npm/vm2@3.11.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-tvb2-2e76-27av" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.1" } ], "aliases": [ "CVE-2026-44007", "GHSA-8hg8-63c5-gwmx" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rt16-s8w5-8qgy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360255?format=api", "vulnerability_id": "VCID-tvb2-2e76-27av", "summary": "vm2 has access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`\n### Summary\n\nhttps://github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7 is not fully patched.\n\n### Details\n\nIt is still possible to get access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`.\n\n### PoC\n\n```js\nconst {VM} = require(\"vm2\");\nconst vm = new VM();\nconsole.log(vm.run(`\n globalThis['VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL']\n`));\n```", "references": [ { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.2" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-2cm2-m3w5-gp2f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-2cm2-m3w5-gp2f" }, { "reference_url": "https://github.com/advisories/GHSA-2cm2-m3w5-gp2f", "reference_id": "GHSA-2cm2-m3w5-gp2f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2cm2-m3w5-gp2f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375365?format=api", "purl": "pkg:npm/vm2@3.11.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-598j-pe72-qkh3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.2" } ], "aliases": [ "GHSA-2cm2-m3w5-gp2f" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tvb2-2e76-27av" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/143436?format=api", "vulnerability_id": "VCID-ua6c-rrsj-2kg6", "summary": "vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32314.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32314.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32314", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.61685", "scoring_system": "epss", "scoring_elements": "0.98369", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.61685", "scoring_system": "epss", "scoring_elements": "0.98368", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.61685", "scoring_system": "epss", "scoring_elements": "0.98362", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32314" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32314", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32314" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2208376", "reference_id": "2208376", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2208376" }, { "reference_url": "https://github.com/patriksimek/vm2/releases/tag/3.9.18", "reference_id": "3.9.18", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-22T21:42:22Z/" } ], "url": "https://github.com/patriksimek/vm2/releases/tag/3.9.18" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf", "reference_id": "d88105f99752305c5b8a77b63ddee3ec86912daf", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-22T21:42:22Z/" } ], "url": "https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf" }, { "reference_url": "https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac", "reference_id": "e9f5cf5782dec8321095be3e52acf5ac", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-22T21:42:22Z/" } ], "url": "https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac" }, { "reference_url": "https://github.com/advisories/GHSA-whpj-8f3w-67p5", "reference_id": "GHSA-whpj-8f3w-67p5", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-whpj-8f3w-67p5" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5", "reference_id": "GHSA-whpj-8f3w-67p5", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-22T21:42:22Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381961?format=api", "purl": "pkg:npm/vm2@3.9.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-55dr-v6ew-s3e8" }, { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-6fr8-3aqn-wyce" }, { "vulnerability": "VCID-6n7e-fz65-jfds" }, { "vulnerability": "VCID-77zs-22q5-d7ev" }, { "vulnerability": "VCID-8he7-t256-1yct" }, { "vulnerability": "VCID-8pe8-9mh9-27f3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-bcct-j6mk-z7hu" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-gbh7-h2ek-hqgg" }, { "vulnerability": "VCID-gvhg-db7k-57ey" }, { "vulnerability": "VCID-hb4z-qz2p-rqc5" }, { "vulnerability": "VCID-k9q9-7mgb-rbbf" }, { "vulnerability": "VCID-kjca-h5yw-cudv" }, { "vulnerability": "VCID-nkcm-wcbb-quhs" }, { "vulnerability": "VCID-pucd-5ym9-1bc8" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" }, { "vulnerability": "VCID-vwem-gghh-t7hc" }, { "vulnerability": "VCID-wm49-3agn-rffg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.18" } ], "aliases": [ "CVE-2023-32314", "GHSA-whpj-8f3w-67p5" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ua6c-rrsj-2kg6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/143123?format=api", "vulnerability_id": "VCID-vj51-w2rv-6qgu", "summary": "vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. As a result a threat actor can edit options for the `console.log` command. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. Users unable to upgrade may make the `inspect` method readonly with `vm.readonly(inspect)` after creating a vm.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32313.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32313.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32313", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00712", "scoring_system": "epss", "scoring_elements": "0.7277", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00712", "scoring_system": "epss", "scoring_elements": "0.72846", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.01556", "scoring_system": "epss", "scoring_elements": "0.81921", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.01556", "scoring_system": "epss", "scoring_elements": "0.81929", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32313" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32313", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32313" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2208377", "reference_id": "2208377", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2208377" }, { "reference_url": "https://github.com/patriksimek/vm2/releases/tag/3.9.18", "reference_id": "3.9.18", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-22T21:42:52Z/" } ], "url": "https://github.com/patriksimek/vm2/releases/tag/3.9.18" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/5206ba25afd86ef547a2c9d48d46ca7a9e6ec238", "reference_id": "5206ba25afd86ef547a2c9d48d46ca7a9e6ec238", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-22T21:42:52Z/" } ], "url": "https://github.com/patriksimek/vm2/commit/5206ba25afd86ef547a2c9d48d46ca7a9e6ec238" }, { "reference_url": "https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550", "reference_id": "c1c57eaf3e0a649af1a70c2b93b17550", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-22T21:42:52Z/" } ], "url": "https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550" }, { "reference_url": "https://github.com/advisories/GHSA-p5gc-c584-jj6v", "reference_id": "GHSA-p5gc-c584-jj6v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p5gc-c584-jj6v" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v", "reference_id": "GHSA-p5gc-c584-jj6v", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-22T21:42:52Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381961?format=api", "purl": "pkg:npm/vm2@3.9.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-55dr-v6ew-s3e8" }, { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-6fr8-3aqn-wyce" }, { "vulnerability": "VCID-6n7e-fz65-jfds" }, { "vulnerability": "VCID-77zs-22q5-d7ev" }, { "vulnerability": "VCID-8he7-t256-1yct" }, { "vulnerability": "VCID-8pe8-9mh9-27f3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-bcct-j6mk-z7hu" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-gbh7-h2ek-hqgg" }, { "vulnerability": "VCID-gvhg-db7k-57ey" }, { "vulnerability": "VCID-hb4z-qz2p-rqc5" }, { "vulnerability": "VCID-k9q9-7mgb-rbbf" }, { "vulnerability": "VCID-kjca-h5yw-cudv" }, { "vulnerability": "VCID-nkcm-wcbb-quhs" }, { "vulnerability": "VCID-pucd-5ym9-1bc8" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" }, { "vulnerability": "VCID-vwem-gghh-t7hc" }, { "vulnerability": "VCID-wm49-3agn-rffg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.18" } ], "aliases": [ "CVE-2023-32313", "GHSA-p5gc-c584-jj6v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vj51-w2rv-6qgu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349369?format=api", "vulnerability_id": "VCID-vsvp-q6bs-3qau", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-25893", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00495", "scoring_system": "epss", "scoring_elements": "0.66203", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00495", "scoring_system": "epss", "scoring_elements": "0.66297", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00495", "scoring_system": "epss", "scoring_elements": "0.66311", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00495", "scoring_system": "epss", "scoring_elements": "0.66309", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-25893" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://github.com/patriksimek/vm2/issues/444", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/issues/444" }, { "reference_url": "https://github.com/patriksimek/vm2/pull/445", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/pull/445" }, { "reference_url": "https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25893", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25893" }, { "reference_url": "https://security.snyk.io/vuln/SNYK-JS-VM2-2990237", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.snyk.io/vuln/SNYK-JS-VM2-2990237" }, { "reference_url": "https://github.com/advisories/GHSA-4w2j-2rg4-5mjw", "reference_id": "GHSA-4w2j-2rg4-5mjw", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4w2j-2rg4-5mjw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/384073?format=api", "purl": "pkg:npm/vm2@3.9.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-55dr-v6ew-s3e8" }, { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-6fr8-3aqn-wyce" }, { "vulnerability": "VCID-6n7e-fz65-jfds" }, { "vulnerability": "VCID-77zs-22q5-d7ev" }, { "vulnerability": "VCID-8he7-t256-1yct" }, { "vulnerability": "VCID-8pe8-9mh9-27f3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-bcct-j6mk-z7hu" }, { "vulnerability": "VCID-ct4r-vjm4-4qby" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-gbh7-h2ek-hqgg" }, { "vulnerability": "VCID-gvhg-db7k-57ey" }, { "vulnerability": "VCID-hb4z-qz2p-rqc5" }, { "vulnerability": "VCID-k9q9-7mgb-rbbf" }, { "vulnerability": "VCID-kjca-h5yw-cudv" }, { "vulnerability": "VCID-mqs7-x7bh-17ef" }, { "vulnerability": "VCID-nkcm-wcbb-quhs" }, { "vulnerability": "VCID-pucd-5ym9-1bc8" }, { "vulnerability": "VCID-rm74-p6v5-wkbj" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" }, { "vulnerability": "VCID-ua6c-rrsj-2kg6" }, { "vulnerability": "VCID-vj51-w2rv-6qgu" }, { "vulnerability": "VCID-vwem-gghh-t7hc" }, { "vulnerability": "VCID-w13m-snrt-5ud3" }, { "vulnerability": "VCID-wm49-3agn-rffg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.10" } ], "aliases": [ "CVE-2022-25893", "GHSA-4w2j-2rg4-5mjw" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vsvp-q6bs-3qau" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67756?format=api", "vulnerability_id": "VCID-vwem-gghh-t7hc", "summary": "vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's CallSite wrapper class (intended as a safe wrapper for V8's native CallSite) blocks getThis() and getFunction() to prevent host object leakage, but allows getFileName() to return unsanitized host absolute paths. Any sandboxed code can extract the full directory structure, library paths, and framework versions of the host server. This vulnerability is fixed in 3.11.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44002", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11155", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11089", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11149", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12184", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44002" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44002", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44002" }, { "reference_url": "https://github.com/advisories/GHSA-v27g-jcqj-v8rw", "reference_id": "GHSA-v27g-jcqj-v8rw", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v27g-jcqj-v8rw" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-v27g-jcqj-v8rw", "reference_id": "GHSA-v27g-jcqj-v8rw", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-14T18:23:24Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-v27g-jcqj-v8rw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375381?format=api", "purl": "pkg:npm/vm2@3.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0" } ], "aliases": [ "CVE-2026-44002", "GHSA-v27g-jcqj-v8rw" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vwem-gghh-t7hc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/140519?format=api", "vulnerability_id": "VCID-w13m-snrt-5ud3", "summary": "vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29017.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29017.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29017", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.70647", "scoring_system": "epss", "scoring_elements": "0.98725", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.70647", "scoring_system": "epss", "scoring_elements": "0.98724", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.74958", "scoring_system": "epss", "scoring_elements": "0.98891", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.74958", "scoring_system": "epss", "scoring_elements": "0.98895", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29017" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29017", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29017" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2185374", "reference_id": "2185374", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2185374" }, { "reference_url": "https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d", "reference_id": "2a44e082001b959bfe304b62121fb76d", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-10T16:10:48Z/" } ], "url": "https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d" }, { "reference_url": "https://github.com/patriksimek/vm2/issues/515", "reference_id": "515", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-10T16:10:48Z/" } ], "url": "https://github.com/patriksimek/vm2/issues/515" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50", "reference_id": "d534e5785f38307b70d3aac1945260a261a94d50", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-10T16:10:48Z/" } ], "url": "https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50" }, { "reference_url": "https://github.com/advisories/GHSA-7jxr-cg7f-gpgv", "reference_id": "GHSA-7jxr-cg7f-gpgv", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7jxr-cg7f-gpgv" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv", "reference_id": "GHSA-7jxr-cg7f-gpgv", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-10T16:10:48Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/379370?format=api", "purl": "pkg:npm/vm2@3.9.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-55dr-v6ew-s3e8" }, { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-6fr8-3aqn-wyce" }, { "vulnerability": "VCID-6n7e-fz65-jfds" }, { "vulnerability": "VCID-77zs-22q5-d7ev" }, { "vulnerability": "VCID-8he7-t256-1yct" }, { "vulnerability": "VCID-8pe8-9mh9-27f3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-bcct-j6mk-z7hu" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-gbh7-h2ek-hqgg" }, { "vulnerability": "VCID-gvhg-db7k-57ey" }, { "vulnerability": "VCID-hb4z-qz2p-rqc5" }, { "vulnerability": "VCID-k9q9-7mgb-rbbf" }, { "vulnerability": "VCID-kjca-h5yw-cudv" }, { "vulnerability": "VCID-mqs7-x7bh-17ef" }, { "vulnerability": "VCID-nkcm-wcbb-quhs" }, { "vulnerability": "VCID-pucd-5ym9-1bc8" }, { "vulnerability": "VCID-rm74-p6v5-wkbj" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" }, { "vulnerability": "VCID-ua6c-rrsj-2kg6" }, { "vulnerability": "VCID-vj51-w2rv-6qgu" }, { "vulnerability": "VCID-vwem-gghh-t7hc" }, { "vulnerability": "VCID-wm49-3agn-rffg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.15" } ], "aliases": [ "CVE-2023-29017", "GHSA-7jxr-cg7f-gpgv" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w13m-snrt-5ud3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/138879?format=api", "vulnerability_id": "VCID-wm49-3agn-rffg", "summary": "vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox. Version 3.10.0 contains a patch for the issue.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-37466.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-37466.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-37466", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.04929", "scoring_system": "epss", "scoring_elements": "0.8985", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.04929", "scoring_system": "epss", "scoring_elements": "0.89887", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.04929", "scoring_system": "epss", "scoring_elements": "0.89883", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.04929", "scoring_system": "epss", "scoring_elements": "0.89889", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-37466" }, { "reference_url": "https://gist.github.com/leesh3288/f693061e6523c97274ad5298eb2c74e9", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://gist.github.com/leesh3288/f693061e6523c97274ad5298eb2c74e9" }, { "reference_url": "https://github.com/patriksimek/vm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37466", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37466" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20230831-0007", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20230831-0007" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20241108-0002", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20241108-0002" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2232376", "reference_id": "2232376", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2232376" }, { "reference_url": "https://github.com/patriksimek/vm2/commit/d9a1fde8ec5a5a9c9e5a69bf91d703950859d744", "reference_id": "d9a1fde8ec5a5a9c9e5a69bf91d703950859d744", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-15T17:36:22Z/" } ], "url": "https://github.com/patriksimek/vm2/commit/d9a1fde8ec5a5a9c9e5a69bf91d703950859d744" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5", "reference_id": "GHSA-cchq-frgv-rjh5", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-15T17:36:22Z/" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5" }, { "reference_url": "https://github.com/patriksimek/vm2/releases/tag/v3.10.0", "reference_id": "v3.10.0", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-15T17:36:22Z/" } ], "url": "https://github.com/patriksimek/vm2/releases/tag/v3.10.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381430?format=api", "purl": "pkg:npm/vm2@3.10.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-55dr-v6ew-s3e8" }, { "vulnerability": "VCID-598j-pe72-qkh3" }, { "vulnerability": "VCID-6fr8-3aqn-wyce" }, { "vulnerability": "VCID-77zs-22q5-d7ev" }, { "vulnerability": "VCID-8he7-t256-1yct" }, { "vulnerability": "VCID-8pe8-9mh9-27f3" }, { "vulnerability": "VCID-8zk3-a7sw-u7an" }, { "vulnerability": "VCID-bcct-j6mk-z7hu" }, { "vulnerability": "VCID-g93v-7a6d-5bfm" }, { "vulnerability": "VCID-gbh7-h2ek-hqgg" }, { "vulnerability": "VCID-gvhg-db7k-57ey" }, { "vulnerability": "VCID-hb4z-qz2p-rqc5" }, { "vulnerability": "VCID-k9q9-7mgb-rbbf" }, { "vulnerability": "VCID-kjca-h5yw-cudv" }, { "vulnerability": "VCID-nkcm-wcbb-quhs" }, { "vulnerability": "VCID-pucd-5ym9-1bc8" }, { "vulnerability": "VCID-rt16-s8w5-8qgy" }, { "vulnerability": "VCID-tvb2-2e76-27av" }, { "vulnerability": "VCID-vwem-gghh-t7hc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.10.0" } ], "aliases": [ "CVE-2023-37466", "GHSA-cchq-frgv-rjh5" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wm49-3agn-rffg" } ], "fixing_vulnerabilities": [], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.5" }