{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3avm2_projectvm2node.js/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-45411"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["vm2 (\u003c= 3.11.2)"],"_cs_severities":["critical"],"_cs_tags":["sandbox-escape","rce","vm2"],"_cs_type":"advisory","_cs_vendors":["NPM"],"content_html":"\u003cp\u003eA critical sandbox breakout vulnerability has been identified in vm2, a popular Node.js sandbox environment. This flaw, identified as CVE-2026-45411, allows malicious code to escape the confines of the vm2 sandbox and execute arbitrary commands on the host system. The vulnerability stems from the improper handling of exceptions within async generators, specifically when using the \u003ccode\u003eyield*\u003c/code\u003e expression. This allows attackers to catch host exceptions and manipulate the execution flow to achieve code execution outside the sandbox. The affected versions are vm2 versions 3.11.2 and earlier. This vulnerability poses a significant risk to applications relying on vm2 for secure code execution, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker provides malicious JavaScript code to the vm2 sandbox.\u003c/li\u003e\n\u003cli\u003eThe malicious code defines an async generator function that utilizes the \u003ccode\u003eyield*\u003c/code\u003e expression.\u003c/li\u003e\n\u003cli\u003eThe code triggers a host exception within the sandbox environment.\u003c/li\u003e\n\u003cli\u003eThe exception is caught within the async generator using a specially crafted iterator.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the caught exception object to access host objects and functions.\u003c/li\u003e\n\u003cli\u003eThis access is used to bypass the sandbox restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the \u003ccode\u003echild_process\u003c/code\u003e module.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the host system using \u003ccode\u003echild_process.execSync()\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to perform Remote Code Execution (RCE) on the host system. This can lead to a complete compromise of the affected system, including data theft, system corruption, and further propagation of malicious activity. Given the popularity of vm2 in sandboxing untrusted JavaScript code, a wide range of applications and systems could be at risk if they are using versions 3.11.2 or earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to vm2 version 3.11.3 or later to patch CVE-2026-45411.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect VM2 Sandbox Breakout via Async Generator\u0026rdquo; to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization to minimize the risk of malicious code being introduced into the vm2 sandbox.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T21:16:46Z","date_published":"2026-05-14T21:16:46Z","id":"https://feed.craftedsignal.io/briefs/2026-05-vm2-sandbox-breakout/","summary":"A sandbox breakout vulnerability exists in vm2, tracked as CVE-2026-45411, allowing attackers to execute arbitrary commands on the host system by manipulating async generators to catch host exceptions, leading to remote code execution.","title":"VM2 Sandbox Breakout via Async Generator","url":"https://feed.craftedsignal.io/briefs/2026-05-vm2-sandbox-breakout/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*","version":"https://jsonfeed.org/version/1.1"}