Home/Product/vm2 project vm2
Product

vm2 project vm2

32 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-45411
< 3.11.3
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expressio
9.8CRITICAL
 CVE-2026-44009
< 3.11.2
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.
9.8CRITICAL
 CVE-2026-44008
< 3.11.2
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from
9.8CRITICAL
 CVE-2026-44007
< 3.11.1
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can uncon
9.1CRITICAL
 CVE-2026-44006
< 3.11.0
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be us
10.0CRITICAL
 CVE-2026-44005
>= 3.9.6 and < 3.11.0
vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intri
10.0CRITICAL
 CVE-2026-44004
< 3.11.0
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, sandboxed code can call Buffer.alloc() with an arbitrary size to al
7.5HIGH
 CVE-2026-44003
< 3.11.0
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AS
5.3MEDIUM
 CVE-2026-44002
< 3.11.0
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's CallSite wrapper class (intended as a safe wrapper for V8's n
5.8MEDIUM
 CVE-2026-44001
< 3.11.0
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed
8.6HIGH
 CVE-2026-44000
< 3.11.0
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox boundary violation in vm2 allows host object identity to
6.5MEDIUM
 CVE-2026-43999
< 3.11.0
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin
9.9CRITICAL
 CVE-2026-43998
all versions
vm2 is an open source vm/sandbox for Node.js. In 3.10.5, NodeVM's require.root path restriction can be bypassed using filesystem s
8.5HIGH
 CVE-2026-43997
< 3.11.0
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to
10.0CRITICAL
 CVE-2026-26956
< 3.10.5
vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code exec
9.8CRITICAL
 CVE-2026-26332
< 3.11.0
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and
9.8CRITICAL
 CVE-2026-24781
< 3.11.0
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through t
9.8CRITICAL
 CVE-2026-24120
< 3.10.5
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circu
9.8CRITICAL
 CVE-2026-24118
< 3.11.0
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This all
9.8CRITICAL
 CVE-2026-22709
< 3.10.2
vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, Promise.prototype.then Promise.prototype.catch c
9.8CRITICAL
 CVE-2023-37903
<= 3.9.19
vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allo
9.8CRITICAL
 CVE-2023-37466
<= 3.9.19
vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. Th
9.8CRITICAL
 CVE-2023-32314
< 3.9.18
vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versio
9.8CRITICAL
 CVE-2023-32313
< 3.9.18
vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to
5.3MEDIUM
 CVE-2023-30547
<= 3.9.16
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception s
9.8CRITICAL
 CVE-2023-29199
< 3.9.16
There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing
9.8CRITICAL
 CVE-2023-29017
< 3.9.15
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not proper
10.0CRITICAL
 CVE-2022-25893
< 3.9.10
The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prot
9.8CRITICAL
 CVE-2022-36067
< 3.9.11
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a thre
10.0CRITICAL
 CVE-2019-10761
< 3.6.11
This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandbo
8.3HIGH
 CVE-2021-23555
< 3.9.6
The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals
9.8CRITICAL
 CVE-2021-23449
< 3.9.4
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code o
9.8CRITICAL
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin