Main Vulnerability Database Vulnerabilities #VU131732

Exposure of Resource to Wrong Sphere in vm2 - #VU131732

Published: May 18, 2026

Vulnerability identifier: #VU131732

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-668

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Patrik Simek

Affected software:
vm2

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to exposure of process-wide observability resources to the wrong sphere in NodeVM builtin module handling when allowing require.builtin access to diagnostics_channel, async_hooks, or perf_hooks. A remote user can run untrusted JavaScript that uses these builtins to disclose sensitive information.

Exploitation requires the host application to allow these builtins and use HTTP, async request context, diagnostics channels, or performance marks in the same process.

Remediation

Install security update from vendor's website.

Sources

https://github.com/patriksimek/vm2/security/advisories/GHSA-9g8x-92q2-p28f

Exposure of Resource to Wrong Sphere in vm2 - #VU131732

Detailed vulnerability description

Remediation

Sources

Please verify you're human