Main Vulnerability Database Vulnerabilities #VU129589

Incorrect authorization in vm2 - #VU129589

Published: May 4, 2026

Vulnerability identifier: #VU129589

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Patrik Simek

Affected software:
vm2

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code on the host system.

The vulnerability exists due to improper access control in the NodeVM builtin allowlist handling for the module builtin when processing sandboxed code that can require builtins. A remote user can invoke Module._load() through the allowed module builtin to execute arbitrary code on the host system.

Exploitation requires the module builtin to be allowed, including through the '*' wildcard, and results in a sandbox escape into the host context.

Remediation

Install security update from vendor's website.

Sources

https://github.com/patriksimek/vm2/security/advisories/GHSA-947f-4v7f-x2v8

Incorrect authorization in vm2 - #VU129589

Detailed vulnerability description

Remediation

Sources

Please verify you're human