CRITICAL🇵🇱 Wersja polska

CVE-2026-45411

CVSS 9.8v3.1pub. 2026-05-13upd. 2026-06-30

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the generator is closed using the return function, the value is awaited on and exceptions thrown in the then call will be caught by the runtime and passed to the yield* iterator as the next value. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.3.

🤖 AI Analysis
How it works

The vulnerability consists of the ability to intercept a host exception using the yield* expression inside an asynchronous generator. When the generator is closed by the return function, the return value is awaited, and exceptions thrown in the then call are caught by the runtime environment and passed back to the yield* iterator as the next value. This mechanism allows code to escape the isolated vm2 context and gain access to the host environment. The attack requires no privileges or user interaction.

Impact

An attacker can completely escape the isolated vm2 sandbox environment (sandbox escape) and execute arbitrary code on the host system, leading to complete violation of system confidentiality, integrity, and availability.

Mitigation & patch

The vm2 library should be updated to version 3.11.3 or newer, in which the vulnerability has been fixed. Details are available in the vendor's GitHub Security Advisories references.

Who is affected

The vm2 library in versions prior to 3.11.3 for Node.js.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Vm2 Project Vm2

    APP
    Vm2 Project
    < 3.11.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-44005CRITICAL10.0PL ✓ten sam produkt

vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)

CVE-2026-44006CRITICAL10.0PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez BaseHandler.getPrototypeOf (RCE)

CVE-2026-43997CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandboxa w bibliotece vm2 dla Node.js (RCE)

CVE-2026-43999CRITICAL9.9PL ✓ten sam produkt

vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'

CVE-2026-44007CRITICAL9.1PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)