vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the generator is closed using the return function, the value is awaited on and exceptions thrown in the then call will be caught by the runtime and passed to the yield* iterator as the next value. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.3.
References
| Link | Resource |
|---|---|
| https://github.com/patriksimek/vm2/security/advisories/GHSA-248r-7h7q-cr24 | Exploit Vendor Advisory |
| https://github.com/patriksimek/vm2/security/advisories/GHSA-248r-7h7q-cr24 | Exploit Vendor Advisory |
Configurations
History
14 May 2026, 18:19
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Vm2 Project vm2
Vm2 Project |
|
| References | () https://github.com/patriksimek/vm2/security/advisories/GHSA-248r-7h7q-cr24 - Exploit, Vendor Advisory | |
| CPE | cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:* |
13 May 2026, 19:17
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/patriksimek/vm2/security/advisories/GHSA-248r-7h7q-cr24 - |
13 May 2026, 18:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-13 18:16
Updated : 2026-05-14 18:19
NVD link : CVE-2026-45411
Mitre link : CVE-2026-45411
CVE.ORG link : CVE-2026-45411
JSON object : View
Products Affected
vm2_project
- vm2
CWE
CWE-668
Exposure of Resource to Wrong Sphere