Code Injection in vm2 - #VU129591
Published: May 4, 2026
Vulnerability identifier: #VU129591
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Patrik Simek
Affected software:
vm2
vm2
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper control of code generation in BaseHandler.getPrototypeOf in vm2/lib/bridge.js when processing crafted objects through util.inspect and WebAssembly.compileStreaming. A remote attacker can send specially crafted input to escape the sandbox and execute arbitrary code.
The issue can be triggered by reaching BaseHandler via util.inspect to obtain arbitrary prototypes.
Remediation
Install security update from vendor's website.