vm2: Sandbox Breakout Through Promise Species

Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.

Affected Products

Vendor	Product	Versions
patriksimek	vm2	< 3.10.5

References

https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p(x_refsource_CONFIRM)
https://github.com/patriksimek/vm2/releases/tag/v3.10.5(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB6h ago

CVE-2026-24120 | patriksimek vm2 up to 3.10.4 protection mechanism (GHSA-qvjj-29qf-hp7p)

→ No new info (linked only)

CVSS 3.19.8 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

CWECWE-693, CWE-94

PublishedMay 4, 2026

Last enriched5h agov2

Trending Score52

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Version History

Last enriched 5h ago

v2Tier C5h ago

Updated description with new details and confirmed that there is no exploit available.

description

via VulDB

v19h ago

Initial creation

vm2: Sandbox Breakout Through Promise Species

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (1)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History