CVE-2026-45411

Medienbericht

Exploit

EPSS 0.45%
Veröffentlicht 13.05.2026 17:38:38
Zuletzt bearbeitet 14.05.2026 18:19:40
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

vm2: Sandbox Breakout Using Async Generator

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the generator is closed using the return function, the value is awaited on and exceptions thrown in the then call will be caught by the runtime and passed to the yield* iterator as the next value. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.3.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vm2 Project ≫ Vm2 SwPlatformnode.js Version < 3.11.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.45%	0.359

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

20.05.2026 11:37

https://github.com/patriksimek/vm2/security/advisories/GHSA-248r-7h7q-cr24

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-45411

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-45411

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-45411

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-45411