<0.1% probability · 23.6th percentile — 2026-05-11
Affected versions
vm2 Node.js sandbox versions prior to 3.11.0
Summary
vm2 is a widely used open-source sandbox for running untrusted JavaScript in Node.js applications. This vulnerability allows attackers to escape the sandbox restriction via a crafted SuppressedError object. Successful exploitation leads to full arbitrary code execution on the host system.
Remediation
Update vm2 to version 3.11.0 or later to address this vulnerability. Scan all Node.js project dependencies to identify vulnerable instances of vm2. If immediate update is not possible, isolate environments running untrusted code with additional network and privilege controls.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.