patriksimek vm2
Moderate fix1 remedy
cpe:2.3:a:vm2_project:vm2:*:*:*:*:node.js:*:*
Moderate fix1 remedy
- <= 3.10.3
vm2 Sandbox Breakout Vulnerability Allowing Remote Code Execution
Vulnerability
Patched
A sandbox breakout vulnerability has been identified in vm2, an open-source virtual machine/sandbox for Node.js. This vulnerability exists in versions of vm2 through 3.10.3 and allows attackers to escape the sandbox and execute arbitrary commands on the host system. The issue arises from the way the inspect function handles proxies, which can be exploited to access and manipulate host objects, ultimately leading to remote code execution.
Impact
Exploitation of this vulnerability allows for remote code execution on the host system where vm2 is running.
Reproduction
The vulnerability can be reproduced by creating a proxy that is visible to the vm2 sandbox. The 'util.inspect' function can then be used to traverse the proxy's internals, accessing the 'BaseHandler' instance. Once the handler is leaked into the sandbox, it can be manipulated to escape the sandbox and execute commands on the host system.
Remediation
Users should upgrade to vm2 version 3.11.0 or later, where this vulnerability has been patched.
Added: May 4, 2026, 5:37 PM
Updated: May 4, 2026, 5:37 PM
Vulnerability Rating
Custom Algorithm
spread
6.6impact
10.0exploitability
5.5remediation
7.7relevance
7.4threat
6.4urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.