無料スキャン
分析待ちCVE-2026-45411

CVE-2026-45411: RCE in vm2 Node.js Sandbox

プラットフォーム

nodejs

コンポーネント

vm2

修正版

3.11.3

NVDで見る
保存

CVE-2026-45411 affects the vm2 Node.js sandbox, a tool used for creating isolated JavaScript environments. This vulnerability allows attackers to escape the sandbox and execute arbitrary commands on the host system, potentially leading to complete system compromise. The vulnerability impacts versions 0.0.0 up to and including 3.11.2. A fix is available in version 3.11.3.

影響と攻撃シナリオ翻訳中…

The impact of CVE-2026-45411 is severe. Successful exploitation allows an attacker to bypass the intended isolation of the vm2 sandbox and gain direct access to the host system. This could involve executing malicious code, stealing sensitive data, installing malware, or establishing persistent backdoors. The ability to execute arbitrary commands effectively grants the attacker complete control over the affected system. This vulnerability shares similarities with sandbox escape vulnerabilities where improper exception handling leads to privilege escalation and code execution outside the intended boundaries.

悪用の状況翻訳中…

CVE-2026-45411 was published on 2026-05-13. Its severity is rated CRITICAL (CVSS 9.8). Exploitation context is currently limited, with no known active campaigns or widespread exploitation. Public proof-of-concept (POC) code is likely to emerge given the vulnerability's severity and ease of exploitation. It is not currently listed on KEV or EPSS, but the high CVSS score suggests a medium to high probability of exploitation if a POC is released.

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出

CISA SSVC

悪用状況poc
自動化可能yes
技術的影響total

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetwork攻撃者がターゲットに到達する方法Attack ComplexityLow悪用に必要な条件Privileges RequiredNone攻撃に必要な認証レベルUser InteractionNone被害者の操作が必要かどうかScopeUnchanged影響コンポーネント外への波及ConfidentialityHigh機密データ漏洩のリスクIntegrityHigh不正データ改ざんのリスクAvailabilityHighサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity
低 — 特別な条件不要。安定して悪用可能。
Privileges Required
なし — 認証不要。資格情報なしで悪用可能。
User Interaction
なし — 自動かつ無音の攻撃。被害者は何もしない。
Scope
変化なし — 影響は脆弱なコンポーネントのみ。
Confidentiality
高 — 機密性の完全喪失。全データが読み取り可能。
Integrity
高 — 任意のデータの書き込み・変更・削除が可能。
Availability
高 — 完全なクラッシュまたはリソース枯渇。完全なサービス拒否。

影響を受けるソフトウェア

コンポーネントvm2
ベンダーpatriksimek
最小バージョン0.0.0
最大バージョン< 3.11.3
修正版3.11.3

弱点分類 (CWE)

CWE-668

タイムライン

  1. 予約済み
  2. 公開日

緩和策と回避策翻訳中…

The primary mitigation for CVE-2026-45411 is to immediately upgrade to vm2 version 3.11.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by carefully reviewing and sanitizing any user-provided code executed within the vm2 sandbox. While not a complete solution, restricting the permissions of the process running vm2 can limit the potential damage. Monitor system logs for unusual activity or errors related to vm2, which could indicate exploitation attempts. After upgrading, confirm the fix by attempting to trigger the vulnerability with known exploit patterns and verifying that the sandbox remains intact.

修正方法翻訳中…

Actualice a la versión 3.11.3 o superior para mitigar la vulnerabilidad. Esta versión corrige el problema al manejar correctamente las excepciones dentro de los generadores asíncronos, evitando la posibilidad de escape del sandbox.

よくある質問翻訳中…

What is CVE-2026-45411 — RCE in vm2 Node.js Sandbox?

CVE-2026-45411 is a critical Remote Code Execution (RCE) vulnerability in the vm2 Node.js sandbox, allowing attackers to escape the sandbox and execute arbitrary code on the host system. It affects versions 0.0.0 through 3.11.2.

Am I affected by CVE-2026-45411 in vm2?

Yes, if you are using vm2 versions 0.0.0 through 3.11.2, you are vulnerable to this RCE. Immediately check your installed version and upgrade if necessary.

How do I fix CVE-2026-45411 in vm2?

The recommended fix is to upgrade to vm2 version 3.11.3 or later. This version includes a patch that addresses the vulnerability. If immediate upgrade is not possible, consider temporary workarounds like code review and permission restrictions.

Is CVE-2026-45411 being actively exploited?

Currently, there are no confirmed reports of active exploitation. However, given the vulnerability's severity and potential impact, exploitation is likely if a public proof-of-concept is released.

Where can I find the official vm2 advisory for CVE-2026-45411?

Refer to the vm2 project's GitHub repository and associated security advisories for the latest information and updates regarding CVE-2026-45411: [https://github.com/vm2js/vm2](https://github.com/vm2js/vm2)

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索
scanZone.liveBadgescanZone.eyebrow

今すぐ試す — アカウント不要

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

手動スキャンSlack/メールアラートContinuous monitoringホワイトラベルレポート

依存関係ファイルをドラッグ&ドロップ

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...