Main Vulnerability Database Vulnerabilities #VU129585

Allocation of Resources Without Limits or Throttling in vm2 - #VU129585

Published: May 4, 2026

Vulnerability identifier: #VU129585

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-770

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Patrik Simek

Affected software:
vm2

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in Buffer.alloc exposed through the vm2 sandbox bridge when processing sandboxed code that invokes Buffer.alloc with an arbitrary size. A remote attacker can send crafted code to allocate excessive host memory and cause a denial of service.

In memory-constrained environments, a single request can terminate the host process with an out-of-memory condition. The issue bypasses vm2's timeout handling because the allocation occurs in a synchronous native call.

Remediation

Install security update from vendor's website.

Sources

https://github.com/patriksimek/vm2/security/advisories/GHSA-6785-pvv7-mvg7

Allocation of Resources Without Limits or Throttling in vm2 - #VU129585

Detailed vulnerability description

Remediation

Sources

Please verify you're human