Primary

Context

vm2 Sandbox Escape Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Patched

A critical vulnerability allowing sandbox escape and arbitrary code execution has been identified in vm2 versions through 3.10.4. The issue arises from the handling of `SuppressedError`, which can be exploited to escape the sandbox environment.

Impact

Exploitation of this vulnerability allows for arbitrary code execution outside of the intended sandbox environment.

Reproduction

To reproduce this vulnerability, create a new VM instance using vm2. Then, run a script that creates a `DisposableStack` and uses it to throw a `SuppressedError`. This error can be manipulated to extract the `process` object, which can then be used to execute arbitrary commands, such as `echo pwned` using `execSync`. This proof-of-concept demonstrates how the vulnerability can be exploited to escape the sandbox and execute code on the host system.

Remediation

Users are advised to upgrade to vm2 version 3.11.0 or later, where this vulnerability has been patched.

Added: May 4, 2026, 5:33 PM

Updated: May 4, 2026, 5:33 PM

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

10.0

exploitability

5.5

remediation

7.7

relevance

7.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

10.0

exploitability

5.5

remediation

7.7

relevance

7.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

vm2 Sandbox Escape Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Impact

Reproduction

Remediation

Affected Products

patriksimek vm2

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating