CVE Catalog

CVE-2026-45411

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.57%

43th percentile — higher than 43% of all known CVEs

Summary

In the vm2 library for Node.js prior to version 3.11.3, a vulnerability allows catching a host exception using the yield* expression inside an async generator. Closing the generator with the return function causes the value to be awaited, and exceptions thrown in the then call are caught by the runtime and passed as the next value to the yield* iterator, enabling sandbox escape and arbitrary command execution.

Risk Assessment

An attacker can exploit this vulnerability to completely bypass the VM2 sandbox isolation and execute arbitrary code on the server, leading to full application compromise and potential host system takeover.

Recommendation

Immediately update the vm2 library to version 3.11.3 or later. If an update is not possible, consider temporarily disabling features related to async generators.

Original NVD description (English source)

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the generator is closed using the return function, the value is awaited on and exceptions thrown in the then call will be caught by the runtime and passed to the yield* iterator as the next value. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS