https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Sat, 20 Jun 2026 12:03:05 +0000 https://vulnerability.circl.lu/sighting/995aba33-972a-49f9-aa4a-6bf48541a45c/export {"uuid": "995aba33-972a-49f9-aa4a-6bf48541a45c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-2CM2-M3W5-GP2F", "type": "seen", "source": "https://gist.github.com/alon710/a7bb9826d4f58a9bb6ab3bd25eb4d508", "content": "# GHSA-2CM2-M3W5-GP2F: GHSA-2CM2-M3W5-GP2F: Remote Code Execution via Transformer Bypass in vm2\n\n> **CVSS Score:** 10.0\n> **Published:** 2026-05-08\n> **Full Report:** https://cvereports.com/reports/GHSA-2CM2-M3W5-GP2F\n\n## Summary\nThe vm2 package for Node.js provides a software-based sandbox for untrusted code execution. Vulnerability GHSA-2CM2-M3W5-GP2F enables an attacker to bypass these sandbox protections via the Transformer component. The issue resides in the parsing logic responsible for intercepting JavaScript property access. Attackers leverage custom prototypes and computed keys to expose the internal sandbox state mechanism, leading to full host compromise.\n\n## TL;DR\nA critical sandbox escape vulnerability in the vm2 library allows attackers to execute arbitrary code on the host system. The flaw exists in the Transformer component, which fails to correctly secure computed-key access on objects with custom prototypes. Exploitation yields full unauthenticated Remote Code Execution.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-693: Protection Mechanism Failure\n- **Attack Vector**: Network / Untrusted Input\n- **CVSS Score**: 10.0 (Critical)\n- **Impact**: Unauthenticated Remote Code Execution (RCE)\n- **Exploit Status**: Proof of Concept Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Node.js applications processing untrusted JavaScript using vm2 versions < 3.11.2\n- Serverless platforms relying on vm2 for tenant isolation\n- Dynamic configuration systems evaluating user-provided scripts via vm2\n- **vm2**: < 3.11.2 (Fixed in: `3.11.2`)\n\n## Mitigation\n\n- Upgrade vm2 package to version 3.11.2 immediately.\n- Migrate to a V8-isolate based sandbox alternative such as isolated-vm.\n- Implement WAF rules to detect the internal state variable string in payloads.\n- Run the Node.js process with minimal operating system privileges.\n\n**Remediation Steps:**\n1. Identify all projects and transitive dependencies utilizing the vm2 package.\n2. Update package.json and run npm install to pull version 3.11.2.\n3. Deploy WAF signatures to block requests containing VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL.\n4. Initiate an architectural review to replace vm2 with isolated-vm.\n\n## References\n\n- [GitHub Advisory: GHSA-2CM2-M3W5-GP2F](https://github.com/advisories/GHSA-2CM2-M3W5-GP2F)\n- [NPM Package: vm2](https://www.npmjs.com/package/vm2)\n- [GitLab Advisory Database (GLAD) entry for vm2](https://advisories.gitlab.com/advisories/)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-2CM2-M3W5-GP2F) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-08T16:40:29.000000Z"} {"uuid": "995aba33-972a-49f9-aa4a-6bf48541a45c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-2CM2-M3W5-GP2F", "type": "seen", "source": "https://gist.github.com/alon710/a7bb9826d4f58a9bb6ab3bd25eb4d508", "content": "# GHSA-2CM2-M3W5-GP2F: GHSA-2CM2-M3W5-GP2F: Remote Code Execution via Transformer Bypass in vm2\n\n> **CVSS Score:** 10.0\n> **Published:** 2026-05-08\n> **Full Report:** https://cvereports.com/reports/GHSA-2CM2-M3W5-GP2F\n\n## Summary\nThe vm2 package for Node.js provides a software-based sandbox for untrusted code execution. Vulnerability GHSA-2CM2-M3W5-GP2F enables an attacker to bypass these sandbox protections via the Transformer component. The issue resides in the parsing logic responsible for intercepting JavaScript property access. Attackers leverage custom prototypes and computed keys to expose the internal sandbox state mechanism, leading to full host compromise.\n\n## TL;DR\nA critical sandbox escape vulnerability in the vm2 library allows attackers to execute arbitrary code on the host system. The flaw exists in the Transformer component, which fails to correctly secure computed-key access on objects with custom prototypes. Exploitation yields full unauthenticated Remote Code Execution.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-693: Protection Mechanism Failure\n- **Attack Vector**: Network / Untrusted Input\n- **CVSS Score**: 10.0 (Critical)\n- **Impact**: Unauthenticated Remote Code Execution (RCE)\n- **Exploit Status**: Proof of Concept Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Node.js applications processing untrusted JavaScript using vm2 versions < 3.11.2\n- Serverless platforms relying on vm2 for tenant isolation\n- Dynamic configuration systems evaluating user-provided scripts via vm2\n- **vm2**: < 3.11.2 (Fixed in: `3.11.2`)\n\n## Mitigation\n\n- Upgrade vm2 package to version 3.11.2 immediately.\n- Migrate to a V8-isolate based sandbox alternative such as isolated-vm.\n- Implement WAF rules to detect the internal state variable string in payloads.\n- Run the Node.js process with minimal operating system privileges.\n\n**Remediation Steps:**\n1. Identify all projects and transitive dependencies utilizing the vm2 package.\n2. Update package.json and run npm install to pull version 3.11.2.\n3. Deploy WAF signatures to block requests containing VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL.\n4. Initiate an architectural review to replace vm2 with isolated-vm.\n\n## References\n\n- [GitHub Advisory: GHSA-2CM2-M3W5-GP2F](https://github.com/advisories/GHSA-2CM2-M3W5-GP2F)\n- [NPM Package: vm2](https://www.npmjs.com/package/vm2)\n- [GitLab Advisory Database (GLAD) entry for vm2](https://advisories.gitlab.com/advisories/)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-2CM2-M3W5-GP2F) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-08T16:40:29.000000Z"} https://vulnerability.circl.lu/sighting/995aba33-972a-49f9-aa4a-6bf48541a45c/export Fri, 08 May 2026 16:40:29 +0000