CVE-2026-45411 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.… | CVSS 9.8 CRITICAL

Description

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the generator is closed using the return function, the value is awaited on and exceptions thrown in the then call will be caught by the runtime and passed to the yield* iterator as the next value. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.3.

Metadata

CVE ID: CVE-2026-45411
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-12 01:48 UTC
Published: 2026-05-13 17:38 UTC
Last updated: 2026-05-15 03:56 UTC
Primary CWE: CWE-668
CWE-668: Exposure of Resource to Wrong Sphere
Vendor / Product: patriksimek / vm2
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
patriksimek	vm2	—	< 3.11.3

Weakness (CWE)

CWE	Source	Description
CWE-668	cna	CWE-668: Exposure of Resource to Wrong Sphere

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

https://github.com/patriksimek/vm2/security/advisories/GHSA-248r-7h7q-cr24 https://github.com/patriksimek/vm2/security/advisories/GHSA-248r-7h7q-cr24