Protection Mechanism Failure in vm2 - #VU131740
Published: May 18, 2026
Vulnerability identifier: #VU131740
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-693
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Patrik Simek
Affected software:
vm2
vm2
Detailed vulnerability description
The vulnerability allows a remote attacker to interfere with stack-trace formatting and observe bridge-internal data writes.
The vulnerability exists due to protection mechanism failure in defaultSandboxPrepareStackTrace in lib/setup-sandbox.js when processing error stack traces. A remote attacker can install a setter on Array.prototype at a targeted index to interfere with stack-trace formatting and observe bridge-internal data writes.
The issue is triggered when sandbox code reads error.stack or otherwise invokes Error.prepareStackTrace, and the current observed value is limited to appended primitive string frame text rather than a host-realm reference.
Remediation
Install security update from vendor's website.