Main Vulnerability Database Vulnerabilities #VU129590

Link following in vm2 - #VU129590

Published: May 4, 2026

Vulnerability identifier: #VU129590

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-59

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Patrik Simek

Affected software:
vm2

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code on the host system.

The vulnerability exists due to improper link resolution before file access in NodeVM require.root path restriction enforcement in lib/resolver-compat.js and lib/filesystem.js when loading modules through symlinks from within an allowed root directory in host context. A remote user can submit sandboxed code that requires a specially linked module to execute arbitrary code on the host system.

Exploitation requires symlinks inside the allowed root that point outside it, and is possible when NodeVM is configured with require context set to host.

Remediation

Install security update from vendor's website.

Sources

https://github.com/patriksimek/vm2/security/advisories/GHSA-cp6g-6699-wx9c

Link following in vm2 - #VU129590

Detailed vulnerability description

Remediation

Sources

Please verify you're human