CVE-2026-45411
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk43th percentile — higher than 43% of all known CVEs
Summary
In the vm2 library for Node.js prior to version 3.11.3, a vulnerability allows catching a host exception using the yield* expression inside an async generator. Closing the generator with the return function causes the value to be awaited, and exceptions thrown in the then call are caught by the runtime and passed as the next value to the yield* iterator, enabling sandbox escape and arbitrary command execution.
Risk Assessment
An attacker can exploit this vulnerability to completely bypass the VM2 sandbox isolation and execute arbitrary code on the server, leading to full application compromise and potential host system takeover.
Recommendation
Immediately update the vm2 library to version 3.11.3 or later. If an update is not possible, consider temporarily disabling features related to async generators.
Original NVD description (English source)
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the generator is closed using the return function, the value is awaited on and exceptions thrown in the then call will be caught by the runtime and passed to the yield* iterator as the next value. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.3.

