10
CVE-2026-44005
- EPSS 0.56%
- Veröffentlicht 13.05.2026 17:40:41
- Zuletzt bearbeitet 14.05.2026 16:16:23
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Loginvm2: Sandbox escape
vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox This vulnerability is fixed in 3.11.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Vm2 Project ≫ Vm2 SwPlatformnode.js Version >= 3.9.6 < 3.11.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.56% | 0.422 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 10 | 3.9 | 5.8 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
|
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
https://github.com/patriksimek/vm2/security/advisories/GHSA-vwrp-x96c-mhwq