Deze pagina is nog niet vertaald naar uw taal. We werken eraan — de inhoud wordt voorlopig in het Engels weergegeven.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-45411: RCE in vm2 Node.js Sandbox
Platform
nodejs
Component
vm2
Opgelost in
3.11.3
CVE-2026-45411 affects the vm2 Node.js sandbox, a tool used for creating isolated JavaScript environments. This vulnerability allows attackers to escape the sandbox and execute arbitrary commands on the host system, potentially leading to complete system compromise. The vulnerability impacts versions 0.0.0 up to and including 3.11.2. A fix is available in version 3.11.3.
Impact en Aanvalsscenarioswordt vertaald…
The impact of CVE-2026-45411 is severe. Successful exploitation allows an attacker to bypass the intended isolation of the vm2 sandbox and gain direct access to the host system. This could involve executing malicious code, stealing sensitive data, installing malware, or establishing persistent backdoors. The ability to execute arbitrary commands effectively grants the attacker complete control over the affected system. This vulnerability shares similarities with sandbox escape vulnerabilities where improper exception handling leads to privilege escalation and code execution outside the intended boundaries.
Uitbuitingscontextwordt vertaald…
CVE-2026-45411 was published on 2026-05-13. Its severity is rated CRITICAL (CVSS 9.8). Exploitation context is currently limited, with no known active campaigns or widespread exploitation. Public proof-of-concept (POC) code is likely to emerge given the vulnerability's severity and ease of exploitation. It is not currently listed on KEV or EPSS, but the high CVSS score suggests a medium to high probability of exploitation if a POC is released.
Dreigingsinformatie
Exploit Status
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Hoog — volledige crash of uitputting van resources. Totale denial of service.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2026-45411 is to immediately upgrade to vm2 version 3.11.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by carefully reviewing and sanitizing any user-provided code executed within the vm2 sandbox. While not a complete solution, restricting the permissions of the process running vm2 can limit the potential damage. Monitor system logs for unusual activity or errors related to vm2, which could indicate exploitation attempts. After upgrading, confirm the fix by attempting to trigger the vulnerability with known exploit patterns and verifying that the sandbox remains intact.
Hoe te verhelpenwordt vertaald…
Actualice a la versión 3.11.3 o superior para mitigar la vulnerabilidad. Esta versión corrige el problema al manejar correctamente las excepciones dentro de los generadores asíncronos, evitando la posibilidad de escape del sandbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2026-45411 — RCE in vm2 Node.js Sandbox?
CVE-2026-45411 is a critical Remote Code Execution (RCE) vulnerability in the vm2 Node.js sandbox, allowing attackers to escape the sandbox and execute arbitrary code on the host system. It affects versions 0.0.0 through 3.11.2.
Am I affected by CVE-2026-45411 in vm2?
Yes, if you are using vm2 versions 0.0.0 through 3.11.2, you are vulnerable to this RCE. Immediately check your installed version and upgrade if necessary.
How do I fix CVE-2026-45411 in vm2?
The recommended fix is to upgrade to vm2 version 3.11.3 or later. This version includes a patch that addresses the vulnerability. If immediate upgrade is not possible, consider temporary workarounds like code review and permission restrictions.
Is CVE-2026-45411 being actively exploited?
Currently, there are no confirmed reports of active exploitation. However, given the vulnerability's severity and potential impact, exploitation is likely if a public proof-of-concept is released.
Where can I find the official vm2 advisory for CVE-2026-45411?
Refer to the vm2 project's GitHub repository and associated security advisories for the latest information and updates regarding CVE-2026-45411: [https://github.com/vm2js/vm2](https://github.com/vm2js/vm2)
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Probeer het nu — geen account
Upload een manifest (composer.lock, package-lock.json, WordPress pluginlijst…) of plak uw componentenlijst. U ontvangt direct een kwetsbaarheidsrapport. Een bestand uploaden is slechts het begin: met een account krijgt u continue monitoring, Slack/e-mail alerts, multi-project en white-label rapporten.
Sleep uw afhankelijkheidsbestand hierheen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...