CRITICAL 9.8 npm
GHSA-248r-7h7q-cr24 · CVE-2026-45411 vm2 Has a Sandbox Breakout Using Async Generator
Modified: 5/14/2026
package
npm / vm2
pkg:npm/vm2
MEDIUM 5.3 npm
GHSA-2cm2-m3w5-gp2f vm2 has access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`
Modified: 5/8/2026
CRITICAL 10.0 npm
GHSA-47x8-96vw-5wg6 · CVE-2026-43997 vm2 Access to Host Object Enables Sandbox Escape
Modified: 5/14/2026
CRITICAL 9.8 npm
GHSA-4w2j-2rg4-5mjw · CVE-2022-25893 vm2 vulnerable to Arbitrary Code Execution
Modified: 11/8/2023
CRITICAL 9.8 npm
GHSA-55hx-c926-fr95 · CVE-2026-26332 VM2 Has a Sandbox Escape Issue via SuppressedError
Modified: 5/5/2026
HIGH 7.5 npm
GHSA-6785-pvv7-mvg7 · CVE-2026-44004 vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion
Modified: 5/14/2026
CRITICAL 9.8 npm
GHSA-6j2x-vhqr-qr7q · CVE-2026-47210 vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass
Modified: 5/29/2026
CRITICAL 9.8 npm
GHSA-6pw2-5hjv-9pf7 · CVE-2021-23555 Sandbox bypass in vm2
Modified: 3/13/2026
CRITICAL 10.0 npm
GHSA-76w7-j9cq-rx2j · CVE-2026-47208 vm2 is Vulnerable to Sandbox Breakout Through Promise Species
Modified: 5/29/2026
CRITICAL 9.8 npm
GHSA-7jxr-cg7f-gpgv · CVE-2023-29017 vm2 vulnerable to sandbox escape
Modified: 11/8/2023
CRITICAL 9.1 npm
GHSA-8hg8-63c5-gwmx · CVE-2026-44007 vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution
Modified: 5/14/2026
CRITICAL 9.9 npm
GHSA-947f-4v7f-x2v8 · CVE-2026-43999 vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape
Modified: 5/14/2026
CRITICAL 9.8 npm
GHSA-99p7-6v5w-7xg8 · CVE-2026-22709 vm2 has a Sandbox Escape
Modified: 2/3/2026
MEDIUM npm
GHSA-9g8x-92q2-p28f · CVE-2026-47141 NodeVM observability builtins leak host process and HTTP request data
Modified: 5/29/2026
CRITICAL 9.8 npm
GHSA-9qj6-qjgg-37qq · CVE-2026-44008 vm2 has sandbox breakout via `neutralizeArraySpeciesBatch`
Modified: 5/14/2026
CRITICAL 9.8 npm
GHSA-9vg3-4rfj-wgcm · CVE-2026-44009 vm2 has Sandbox Breakout Through Null Proto Exception
Modified: 5/14/2026
HIGH 8.6 npm
GHSA-c4cf-2hgv-2qv6 · CVE-2026-47209 vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain
Modified: 5/29/2026
CRITICAL 9.8 npm
GHSA-cchq-frgv-rjh5 · CVE-2023-37466 vm2 Sandbox Escape vulnerability
Modified: 2/3/2026
CRITICAL 9.8 npm
GHSA-ch3r-j5x3-6q2m · CVE-2023-30547 vm2 Sandbox Escape vulnerability
Modified: 11/8/2023
HIGH 8.5 npm
GHSA-cp6g-6699-wx9c · CVE-2026-43998 vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape
Modified: 5/14/2026
CRITICAL 9.8 npm
GHSA-ffh4-j6h5-pg66 · CVE-2026-26956 VM2 Has a WASM Sandbox Escape
Modified: 6/8/2026
CRITICAL 9.8 npm
GHSA-g644-9gfx-q4q4 · CVE-2023-37903 vm2 Sandbox Escape vulnerability
Modified: 11/4/2025
CRITICAL 9.8 npm
GHSA-grj5-jjm8-h35p · CVE-2026-24118 VM2 Sandbox Breakout Through __lookupGetter__
Modified: 5/8/2026
HIGH 8.6 npm
GHSA-hw58-p9xv-2mjh · CVE-2026-44001 vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)
Modified: 5/14/2026
CRITICAL 10.0 npm
GHSA-m4wx-m65x-ghrr · CVE-2026-47137 vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE
Modified: 5/29/2026
HIGH 8.7 npm
GHSA-m5q2-4fm3-vfqp · CVE-2026-47135 vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks
Modified: 5/29/2026
MEDIUM 6.5 npm
GHSA-mpf8-4hx2-7cjg · CVE-2026-44000 vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary
Modified: 5/14/2026
CRITICAL 10.0 npm
GHSA-mrgp-mrhc-5jrq · CVE-2022-36067 vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host
Modified: 11/8/2023
MEDIUM 5.3 npm
GHSA-p5gc-c584-jj6v · CVE-2023-32313 vm2 vulnerable to Inspect Manipulation
Modified: 11/8/2023
LOW npm
GHSA-q3fm-4wcw-g57x vm2 setup-sandbox.js violates Defense Invariant #11 in stack-trace formatter
Modified: 5/29/2026
CRITICAL 10.0 npm
GHSA-qcp4-v2jj-fjx8 · CVE-2026-44006 vm2 has a Sandbox Escape Vulnerability
Modified: 5/14/2026
CRITICAL 9.8 npm
GHSA-qvjj-29qf-hp7p · CVE-2026-24120 VM2 Has Sandbox Breakout Through Promise Species
Modified: 5/5/2026
HIGH 8.6 npm
GHSA-r9pm-gxmw-wv6p · CVE-2026-47139 NodeVM network builtin exclusions bypass via internal _http_client and _http_server
Modified: 5/29/2026
CRITICAL 9.8 npm
GHSA-rjf2-j2r6-q8gr · CVE-2021-23449 Prototype Pollution in vm2
Modified: 3/13/2026
CRITICAL 10.0 npm
GHSA-rp36-8xq3-r6c4 · CVE-2026-47140 NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
Modified: 5/29/2026
MEDIUM 5.8 npm
GHSA-v27g-jcqj-v8rw · CVE-2026-44002 vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak
Modified: 5/14/2026
CRITICAL 9.8 npm
GHSA-v37h-5mfm-c47c · CVE-2026-24781 VM2 Has Sandbox Breakout Through Inspect Function
Modified: 5/5/2026
CRITICAL 10.0 npm
GHSA-v6mx-mf47-r5wg · CVE-2026-47131 vm2 has a Sandbox Escape issue
Modified: 5/29/2026
CRITICAL 10.0 npm
GHSA-vwrp-x96c-mhwq · CVE-2026-44005 vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape
Modified: 5/14/2026
HIGH 8.3 npm
GHSA-wf5x-cr3r-xr77 · CVE-2019-10761 vm2 before 3.6.11 vulnerable to sandbox escape
Modified: 3/13/2026
CRITICAL 9.8 npm
GHSA-whpj-8f3w-67p5 · CVE-2023-32314 vm2 Sandbox Escape vulnerability
Modified: 11/8/2023
MEDIUM 5.3 npm
GHSA-wp5r-2gw5-m7q7 · CVE-2026-44003 vm2's Transformer Fast-Path Bypass Exposes Internal State Variable
Modified: 5/14/2026
CRITICAL 9.8 npm
GHSA-xj72-wvfv-8985 · CVE-2023-29199 vm2 Sandbox Escape vulnerability
Modified: 11/8/2023