OsVault/npm/vm2

npm9 critical

vm2

42 known vulnerabilities · 9 critical · 1 high

GHSA-6j2x-vhqr-qr7q

vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass

Published May 29, 2026

GHSA-76w7-j9cq-rx2j

vm2 is Vulnerable to Sandbox Breakout Through Promise Species

Published May 29, 2026

GHSA-c4cf-2hgv-2qv6

vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain

Published May 29, 2026

GHSA-9g8x-92q2-p28f

NodeVM observability builtins leak host process and HTTP request data

Published May 29, 2026

GHSA-m4wx-m65x-ghrr

vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE

Published May 29, 2026

GHSA-m5q2-4fm3-vfqp

vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks

Published May 29, 2026

CVE-2023-29017CRITICAL

vm2 vulnerable to sandbox escape

Published Apr 7, 2023

GHSA-q3fm-4wcw-g57x

vm2 setup-sandbox.js violates Defense Invariant #11 in stack-trace formatter

Published May 29, 2026

GHSA-r9pm-gxmw-wv6p

NodeVM network builtin exclusions bypass via internal _http_client and _http_server

Published May 29, 2026

GHSA-rp36-8xq3-r6c4

NodeVM builtin denylist bypass via process and inspector/promises allows host code execution

Published May 29, 2026

GHSA-v6mx-mf47-r5wg

vm2 has a Sandbox Escape issue

Published May 29, 2026

CVE-2023-37466CRITICAL

vm2 Sandbox Escape vulnerability

Published Jul 13, 2023

GHSA-6785-pvv7-mvg7

vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion

Published May 7, 2026

CVE-2022-25893CRITICAL

vm2 vulnerable to Arbitrary Code Execution

Published Dec 21, 2022

GHSA-wp5r-2gw5-m7q7

vm2's Transformer Fast-Path Bypass Exposes Internal State Variable

Published May 7, 2026

GHSA-qcp4-v2jj-fjx8

vm2 has a Sandbox Escape Vulnerability

Published May 7, 2026

CVE-2023-32314CRITICAL

vm2 Sandbox Escape vulnerability

Published May 15, 2023

CVE-2019-10761HIGH

vm2 before 3.6.11 vulnerable to sandbox escape

Published Jul 14, 2022

CVE-2026-22709

vm2 has a Sandbox Escape

Published Jan 26, 2026

GHSA-2cm2-m3w5-gp2f

vm2 has access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`

Published May 8, 2026

GHSA-9qj6-qjgg-37qq

vm2 has sandbox breakout via `neutralizeArraySpeciesBatch`

Published May 8, 2026

GHSA-9vg3-4rfj-wgcm

vm2 has Sandbox Breakout Through Null Proto Exception

Published May 8, 2026

CVE-2023-30547CRITICAL

vm2 Sandbox Escape vulnerability

Published Apr 20, 2023

CVE-2022-36067CRITICAL

vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host

Published Sep 28, 2022

CVE-2023-29199CRITICAL

vm2 Sandbox Escape vulnerability

Published Apr 12, 2023

GHSA-ffh4-j6h5-pg66

VM2 Has a WASM Sandbox Escape

Published May 5, 2026

GHSA-grj5-jjm8-h35p

VM2 Sandbox Breakout Through __lookupGetter__

Published May 4, 2026

GHSA-qvjj-29qf-hp7p

VM2 Has Sandbox Breakout Through Promise Species

Published May 5, 2026

GHSA-v37h-5mfm-c47c

VM2 Has Sandbox Breakout Through Inspect Function

Published May 5, 2026

CVE-2021-23449CRITICAL

Prototype Pollution in vm2

Published Oct 19, 2021

GHSA-248r-7h7q-cr24

vm2 Has a Sandbox Breakout Using Async Generator

Published May 14, 2026

CVE-2023-32313MEDIUM

vm2 vulnerable to Inspect Manipulation

Published May 17, 2023

GHSA-55hx-c926-fr95

VM2 Has a Sandbox Escape Issue via SuppressedError

Published May 5, 2026

GHSA-47x8-96vw-5wg6

vm2 Access to Host Object Enables Sandbox Escape

Published May 7, 2026

GHSA-8hg8-63c5-gwmx

vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution

Published May 7, 2026

GHSA-cp6g-6699-wx9c

vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape

Published May 7, 2026

GHSA-mpf8-4hx2-7cjg

vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary

Published May 7, 2026

GHSA-hw58-p9xv-2mjh

vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)

Published May 7, 2026

GHSA-vwrp-x96c-mhwq

vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape

Published May 7, 2026

GHSA-947f-4v7f-x2v8

vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape

Published May 7, 2026

GHSA-v27g-jcqj-v8rw

vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak

Published May 7, 2026

CVE-2021-23555CRITICAL

Sandbox bypass in vm2

Published Feb 12, 2022

Check your entire dependency tree at onceRun dependency scan →