PatchSiren

Vm2 Project CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL Vm2 Project CVE published 2026-05-13

CVE-2026-45411

CVE-2026-45411 is a critical vulnerability in vm2, an open-source vm/sandbox for Node.js. The vulnerability allows attackers to escape the sandbox and execute arbitrary commands on the host system. This is achieved by catching a host exception using the yield* expression inside an async generator and then awaiting on the value when the generator is closed. The vulnerability has a CVSS score of 9.8 and is [truncated]

CRITICAL Vm2 Project CVE published 2026-05-13

CVE-2026-44005

CVE-2026-44005 is a critical vulnerability in vm2, a sandbox for Node.js. The vulnerability exists in versions 3.9.6 to 3.10.5, where vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes. This allows attacker-controlled JavaScript running in a default VM or inherited NodeVM to mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox. The [truncated]

HIGH Vm2 Project CVE published 2026-05-13

CVE-2026-44001

CVE-2026-44001 is a high-severity vm2 sandbox issue that can let sandboxed code crash the host Node.js process. The supplied description says the problem exists in vm2 prior to 3.11.0 and that the earlier fix for CVE-2026-22709 only sanitized the onRejected callback in .then() and .catch() overrides, leaving an executor-to-unhandledRejection path unaddressed. In practice, a single Promise constructor can [truncated]