CNNVD-202601-4326 Information
CNNVD ID
CNNVD-202601-4326
Related CVE
- CNNVD Published: 2026-01-26
Description (Chinese)
vm2是捷克Patrik Simek个人开发者的一个 Node.js 的高级虚拟机/沙盒。以使用列入白名单的 Node 内置模块运行不受信任的代码。 vm2 3.10.2之前版本存在安全漏洞,该漏洞源于Promise回调清理可被绕过,可能导致攻击者逃逸沙箱并执行任意代码。
Description (English)
vm2 is an advanced Node.js virtual machine/sandbox for a Czech Patrick Simek personal developer. to run untrusted codes using a white-listed Node built-in module. The previous version of vm2 3.10.2 contained a security loophole, which stemmed from the fact that Promise could be bypassed by a callback, which could lead the attackers to flee the sandbox and enforce any code.
Hazard Level
Low
Vulnerability Type
其他
Affected Vendor
个人开发者
Published
2026-01-26
Last Modified
2026-02-24
References
https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29 https://github.com/patriksimek/vm2/releases/tag/v3.10.2 https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8
Patch
https://github.com/patriksimek/vm2/releases
Share on: