External risk intelligence

VM2 sandbox escape allows attackers to run commands on your system

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-45411

An external attacker can bypass the vm2 sandbox to execute unauthorized commands on the host system. This allows the attacker to gain full control over the infrastructure, creating a significant risk to the security of business operations.

3Halo Surface Signal

Vm2 Project Vm2

before 3.11.3

External exposure likelihood

Halo Surface Signal score for CVE-2026-45411

vm2 is a Node.js library for sandboxing untrusted code. It is not a standalone service, so internet exposure depends entirely on how the host application is deployed. While often used to process user-supplied input in web-facing systems, it is also used in internal tools and build pipelines, making internet reachability possible but not a universal standard across all deployments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability in the vm2 Node.js sandbox allows malicious code to escape its confines and execute arbitrary commands on the host system. This is a significant risk because it bypasses the intended security boundaries, potentially exposing the entire system to compromise.

  • Arbitrary command execution.
  • Unauthenticated escape possible.
  • Affects Node.js applications.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by crafting malicious JavaScript code that, when executed within a vulnerable version of the `vm2` sandbox, would allow them to escape the sandbox and run arbitrary commands on the host system. This exploit path is particularly concerning as it requires no prior authentication or user interaction, making it accessible to unauthenticated remote attackers.

  • No authentication needed.
  • Target: Node.js applications using `vm2`.
  • Execute commands on host.

Live Threat

Current exploitation, exposure, and threat context

The vm2 sandbox escape vulnerability presents a significant risk because it allows for arbitrary code execution on the host system. This capability is highly sought after by attackers. While the vulnerability itself is critical, its actual weaponization depends on the context in which vm2 is deployed; it is not inherently internet-facing but often integrated into applications that are.

  • Exploitation risk is high.
  • Public exploit code is available.
  • No KEV listing or recent exploitation signals.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate patching of the vm2 library to version 3.11.3 or later for all Node.js applications. If patching is not feasible, isolate or disable services utilizing vm2 to prevent remote code execution.

  • Update vm2 to version 3.11.3.
  • Isolate affected services if patching is delayed.
  • Monitor for suspicious network activity.

Frequently asked questions

What is vm2 and its primary purpose in Node.js applications?

vm2 is an open-source sandbox designed for Node.js applications. Its primary purpose is to create isolated environments for running untrusted code, acting as a security layer to prevent that code from accessing or altering the host system.

How does the vm2 sandbox escape vulnerability (CVE-2026-45411) work by exploiting asynchronous generators?

CVE-2026-45411 is a sandbox escape vulnerability. It exploits how vm2 handles exceptions within asynchronous generators. By manipulating the closing of a generator, an attacker could cause a host exception to be caught and returned as a value, allowing them to execute arbitrary commands outside the sandbox.

What specific weakness class is associated with the vm2 sandbox escape, and what does it entail?

The weakness class associated with the vm2 sandbox escape is CWE-668, which refers to 'Exposure of Sensitive Information to an Unauthorized Actor'. In this context, it means that the sandbox mechanism failed to adequately protect the host system from unauthorized code execution originating from within the isolated vm2 environment.

What is the relevance of CVE-2026-45411, considering vm2 is a Node.js library and not inherently internet-facing?

While vm2 is a Node.js library and not a standalone service, its relevance is high because it is often integrated into web-facing applications for processing user input or other sensitive tasks. This integration means that if vm2 is deployed within a network-accessible system, the vulnerability allows for arbitrary command execution on the host.

What is the recommended operational fix for the vm2 sandbox escape vulnerability?

The recommended operational fix is to immediately update the vm2 library to version 3.11.3 or later. If immediate patching is not feasible, services utilizing vm2 should be isolated or disabled to prevent potential remote code execution.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified