{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/vm2--3.11.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2023-37903"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["vm2 (\u003c= 3.11.3)"],"_cs_severities":["critical"],"_cs_tags":["vm2","rce","sandbox-escape","CVE-2026-47137"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe vm2 npm package, a sandboxing solution for Node.js, is vulnerable to a remote code execution (RCE) bypass of the CVE-2023-37903 patch. This bypass occurs because the check implemented to prevent the combination of \u003ccode\u003enesting: true\u003c/code\u003e and \u003ccode\u003erequire: false\u003c/code\u003e uses strict equality (\u003ccode\u003e===\u003c/code\u003e). By simply omitting the \u003ccode\u003erequire\u003c/code\u003e option when instantiating a \u003ccode\u003eNodeVM\u003c/code\u003e, the check is bypassed, as \u003ccode\u003eoptions.require\u003c/code\u003e becomes \u003ccode\u003eundefined\u003c/code\u003e, not \u003ccode\u003efalse\u003c/code\u003e. This oversight allows an attacker to bypass the intended security restrictions and execute arbitrary code on the host system. This vulnerability affects vm2 versions 3.11.3 and earlier and poses a significant risk to applications relying on vm2 for sandboxing untrusted code.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker injects malicious JavaScript code into a \u003ccode\u003eNodeVM\u003c/code\u003e instance configured with \u003ccode\u003enesting: true\u003c/code\u003e but without explicitly setting the \u003ccode\u003erequire\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eThe initial security check in \u003ccode\u003enodevm.js\u003c/code\u003e at line 263 fails because \u003ccode\u003eoptions.require\u003c/code\u003e is \u003ccode\u003eundefined\u003c/code\u003e instead of \u003ccode\u003efalse\u003c/code\u003e, thus bypassing the intended restriction.\u003c/li\u003e\n\u003cli\u003eThe code inside the \u003ccode\u003eNodeVM\u003c/code\u003e then uses \u003ccode\u003erequire('vm2')\u003c/code\u003e to gain access to the vm2 library itself.\u003c/li\u003e\n\u003cli\u003eThe injected code constructs a new, nested \u003ccode\u003eNodeVM\u003c/code\u003e instance, this time explicitly enabling the \u003ccode\u003echild_process\u003c/code\u003e module via \u003ccode\u003erequire: { builtin: ['child_process'] }\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe nested \u003ccode\u003eNodeVM\u003c/code\u003e instance is then used to execute arbitrary operating system commands using \u003ccode\u003echild_process.execSync()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe output of the command is converted to a string.\u003c/li\u003e\n\u003cli\u003eThe string is returned as the result of the initial \u003ccode\u003envm.run()\u003c/code\u003e call, demonstrating successful command execution on the host.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full remote code execution on the host system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the host system. In a multi-tenant environment or any situation where vm2 is used to sandbox untrusted code, this can lead to complete system compromise. The attacker can gain access to sensitive data, install malware, or pivot to other systems on the network. The observed damage is full RCE.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of vm2 that addresses this vulnerability.\u003c/li\u003e\n\u003cli\u003eApply the suggested fix to \u003ccode\u003enodevm.js\u003c/code\u003e locally if an immediate upgrade is not possible: Change the check to \u003ccode\u003eif (options.nesting === true \u0026amp;\u0026amp; !options.require)\u003c/code\u003e as documented in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect attempts to exploit this vulnerability, focusing on \u003ccode\u003eprocess_creation\u003c/code\u003e events originating from within vm2 sandboxes.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual \u003ccode\u003erequire()\u003c/code\u003e calls within vm2 sandboxes, especially those attempting to load the \u003ccode\u003echild_process\u003c/code\u003e module.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T17:52:09Z","date_published":"2026-05-29T17:52:09Z","id":"https://feed.craftedsignal.io/briefs/2026-05-vm2-rce-bypass/","summary":"The vm2 npm package has a remote code execution vulnerability due to a patch bypass for CVE-2023-37903; the vulnerability occurs because the check for `nesting: true` and `require: false` in `nodevm.js` uses strict equality, which can be bypassed by omitting the `require` option entirely, allowing an attacker to execute arbitrary OS commands.","title":"vm2 CVE-2023-37903 Patch Bypass: Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-vm2-rce-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["vm2 (\u003c= 3.11.3)"],"_cs_severities":["critical"],"_cs_tags":["sandbox-escape","rce","vm2"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eA critical sandbox escape vulnerability exists in \u003ccode\u003evm2\u003c/code\u003e (versions 3.11.3 and earlier) that allows for arbitrary code execution on the host system. This vulnerability, assigned CVE-2026-47210, occurs when \u003ccode\u003evm2\u003c/code\u003e is used with Node.js runtimes (specifically Node 26) that expose WebAssembly JSPI features (\u003ccode\u003eWebAssembly.promising\u003c/code\u003e / \u003ccode\u003eWebAssembly.Suspending\u003c/code\u003e). By exploiting the interaction between JSPI-backed Promises and the \u003ccode\u003e.finally()\u003c/code\u003e method, an attacker can bypass the intended sandbox protection and gain access to the host process. This bypass exposes a host-originated TypeError during JSPI processing which exposes a usable host constructor chain within attacker-controlled species logic. This can lead to full compromise of services relying on \u003ccode\u003evm2\u003c/code\u003e isolation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker provides untrusted JavaScript code to the \u003ccode\u003evm2\u003c/code\u003e sandbox environment.\u003c/li\u003e\n\u003cli\u003eThe JavaScript code leverages WebAssembly JSPI features, specifically \u003ccode\u003eWebAssembly.promising\u003c/code\u003e and \u003ccode\u003eWebAssembly.Suspending\u003c/code\u003e, to create JSPI-backed Promises.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the JSPI-backed Promise to reach the \u003ccode\u003ePromise.prototype.finally()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efinally()\u003c/code\u003e method is triggered, leading to execution of attacker-controlled species logic.\u003c/li\u003e\n\u003cli\u003eA host-originated \u003ccode\u003eTypeError\u003c/code\u003e is generated during JSPI processing due to the Promise rejection.\u003c/li\u003e\n\u003cli\u003eThe rejection object from the TypeError exposes a host constructor chain to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the host constructor chain to gain access to the host \u003ccode\u003eprocess\u003c/code\u003e object.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the \u003ccode\u003eprocess\u003c/code\u003e object (e.g., \u003ccode\u003eprocess.mainModule.require('child_process').execSync\u003c/code\u003e) to execute arbitrary commands on the host system, escaping the sandbox.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows for a complete sandbox escape, leading to arbitrary code execution in the host process. This poses a significant risk to applications relying on \u003ccode\u003evm2\u003c/code\u003e for security isolation. Successful exploitation can result in arbitrary command execution, unauthorized file access (read/write), theft of sensitive data (secrets, tokens, credentials), and full compromise of services utilizing \u003ccode\u003evm2\u003c/code\u003e. This issue affects applications using \u003ccode\u003evm2\u003c/code\u003e to execute untrusted JavaScript, especially those running on Node.js 26.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003evm2\u003c/code\u003e to a version greater than 3.11.3 to patch CVE-2026-47210.\u003c/li\u003e\n\u003cli\u003eApply the following rules to detect potential exploitation attempts targeting \u003ccode\u003evm2\u003c/code\u003e sandboxes.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unexpected child processes spawned from Node.js processes, especially if they involve command execution (Rule: \u0026ldquo;Detect Suspicious Child Process from Node.js\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003evm2\u003c/code\u003e for suspicious activity related to WebAssembly and Promise handling (Rule: \u0026ldquo;Detect vm2 WebAssembly Promise .finally()\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T17:51:55Z","date_published":"2026-05-29T17:51:55Z","id":"https://feed.craftedsignal.io/briefs/2026-05-vm2-sandbox-escape/","summary":"A sandbox escape vulnerability, CVE-2026-47210, in `vm2` allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI, bypassing Promise-species hardening and exposing a host-originated rejection object to attacker-controlled species logic.","title":"VM2 Sandbox Escape via JSPI Promise .finally() Species Bypass (CVE-2026-47210)","url":"https://feed.craftedsignal.io/briefs/2026-05-vm2-sandbox-escape/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["vm2 (\u003c= 3.11.3)"],"_cs_severities":["critical"],"_cs_tags":["vm2","sandbox-escape","rce"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eA critical sandbox breakout vulnerability (CVE-2026-47208) has been identified in vm2 versions 3.11.3 and earlier. This flaw allows an attacker with the ability to execute arbitrary code within the vm2 sandbox to escape the sandbox and achieve arbitrary code execution on the host system. The vulnerability arises due to a missing \u003ccode\u003eresetPromiseSpecies\u003c/code\u003e call within the \u003ccode\u003elocalPromise\u003c/code\u003e constructor when handling rejected promises, leading to the possibility of injecting a custom promise with a specially crafted reject method. This bypasses the intended security boundaries of the vm2 sandbox.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial code execution within the vm2 sandbox environment.\u003c/li\u003e\n\u003cli\u003eAttacker defines a custom \u003ccode\u003eFakePromise\u003c/code\u003e class with a getter for \u003ccode\u003eSymbol.species\u003c/code\u003e that returns a custom constructor \u003ccode\u003ect\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker defines a function \u003ccode\u003edoCatch\u003c/code\u003e that takes a function \u003ccode\u003ef\u003c/code\u003e as input and creates a new Promise using \u003ccode\u003ePromise.withResolvers()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe custom constructor \u003ccode\u003ect\u003c/code\u003e is assigned to the \u003ccode\u003eSymbol.species\u003c/code\u003e of the \u003ccode\u003eFakePromise\u003c/code\u003e class within the \u003ccode\u003edoCatch\u003c/code\u003e function. The \u003ccode\u003ect\u003c/code\u003e constructor defines how the promise will be resolved or rejected, intercepting errors.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eFakePromise\u003c/code\u003e constructor is called with a resolver function, allowing the custom reject method in \u003ccode\u003ect\u003c/code\u003e to get called when a promise is rejected.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers an error within the sandbox (e.g., a \u003ccode\u003eRangeError\u003c/code\u003e by overflowing the stack). The custom reject method in \u003ccode\u003ect\u003c/code\u003e intercepts the error, determines if it is a \u003ccode\u003eRangeError\u003c/code\u003e and not a standard Error object, and then executes host commands using \u003ccode\u003echild_process.execSync('touch pwned')\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA file named \u003ccode\u003epwned\u003c/code\u003e is created on the host system, demonstrating successful code execution outside the sandbox.\u003c/li\u003e\n\u003cli\u003eThe attacker now has arbitrary code execution on the host system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-47208 allows an attacker to bypass the vm2 sandbox and execute arbitrary code on the host system. This can lead to complete system compromise, data theft, or denial-of-service. The severity is critical due to the ease of exploitation and the potential for widespread impact on applications relying on vm2 for sandboxing untrusted code. The number of victims depends on the adoption of the vulnerable vm2 package.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to vm2 version 3.11.4 or later to patch CVE-2026-47208.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect VM2 Sandbox Escape via Promise Species Manipulation\u0026rdquo; to detect exploitation attempts by monitoring for the execution of \u003ccode\u003echild_process.execSync\u003c/code\u003e within the vm2 sandbox.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of vm2 in environments where untrusted code execution is a significant risk.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T17:41:49Z","date_published":"2026-05-29T17:41:49Z","id":"https://feed.craftedsignal.io/briefs/2026-05-vm2-sandbox-breakout/","summary":"VM2 is vulnerable to a sandbox breakout vulnerability (CVE-2026-47208) that allows attackers to execute arbitrary commands on the host system by manipulating Promise species and escaping the sandbox context.","title":"VM2 Sandbox Breakout Vulnerability via Promise Species Manipulation (CVE-2026-47208)","url":"https://feed.craftedsignal.io/briefs/2026-05-vm2-sandbox-breakout/"}],"language":"en","title":"CraftedSignal Threat Feed — Vm2 (\u003c= 3.11.3)","version":"https://jsonfeed.org/version/1.1"}