Main Vulnerability Database Vulnerabilities #VU129587

Information Exposure Through an Error Message in vm2 - #VU129587

Published: May 4, 2026

Vulnerability identifier: #VU129587

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-209

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Patrik Simek

Affected software:
vm2

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information about the host environment.

The vulnerability exists due to generation of error messages containing sensitive information in the CallSite wrapper class when processing stack traces from sandboxed code. A remote attacker can trigger an error or override Error.prepareStackTrace to disclose sensitive information about the host environment.

The issue exposes host absolute paths, source locations, and internal function names to sandboxed code.

Remediation

Install security update from vendor's website.

Sources

https://github.com/patriksimek/vm2/security/advisories/GHSA-v27g-jcqj-v8rw

Information Exposure Through an Error Message in vm2 - #VU129587

Detailed vulnerability description

Remediation

Sources

Please verify you're human