{"vulnerability": "CVE-2026-45411", "sightings": [{"uuid": "668ce1d9-26a6-434b-9316-8838a4a50093", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-45411", "type": "seen", "source": "https://gist.github.com/alon710/8f8ab6f5732ed98c8d3fdb3bd09a3eb7", "content": "# CVE-2026-45411: CVE-2026-45411: Remote Code Execution via Sandbox Escape in vm2 Async Generator Implementation\n\n> **CVSS Score:** 9.8\n> **Published:** 2026-05-14\n> **Full Report:** https://cvereports.com/reports/CVE-2026-45411\n\n## Summary\nCVE-2026-45411 is a critical sandbox breakout vulnerability in the vm2 library for Node.js, allowing attackers to achieve remote code execution on the host system. The flaw stems from an inconsistency in how the V8 JavaScript engine handles async generators during delegation and abrupt completions, enabling an attacker to smuggle a host-realm error object into the sandbox.\n\n## TL;DR\nA critical vulnerability in vm2 (CVE-2026-45411, CVSS 9.8) allows sandbox escape and host RCE via V8 engine async generator handling. Versions prior to 3.11.3 are affected.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **Vulnerability Class**: Sandbox Breakout / Escape\n- **CWE IDs**: CWE-668, CWE-913\n- **CVSS v3.1 Base Score**: 9.8\n- **Attack Vector**: Network\n- **Exploit Status**: Proof of Concept Available\n- **EPSS Percentile**: 17.01%\n- **CISA KEV Listed**: No\n\n## Affected Systems\n\n- Node.js environments utilizing vm2 versions < 3.11.3 for untrusted code execution\n- **vm2**: < 3.11.3 (Fixed in: `3.11.3`)\n\n## Mitigation\n\n- Upgrade vm2 to patched version 3.11.3\n- Implement defense-in-depth via OS-level containerization (Docker/LXC)\n- Enforce strict seccomp profiles on the Node.js process executing untrusted code\n- Run the Node.js process executing vm2 with minimum required privileges\n\n**Remediation Steps:**\n1. Audit dependency trees using `npm ls vm2` or `yarn why vm2` to locate all instances of the package.\n2. Update direct dependencies in package.json to point to `^3.11.3`.\n3. Use dependency resolution overrides (e.g., `npm overrides` or `yarn resolutions`) to force transitive dependencies to use version 3.11.3.\n4. Rebuild package lockfiles and deploy the updated application to staging environments.\n5. Execute functional tests to verify the `setup-sandbox.js` changes do not break legitimate async generator usage.\n6. Deploy the updated application to production environments.\n\n## References\n\n- [GitHub Advisory: GHSA-248r-7h7q-cr24](https://github.com/patriksimek/vm2/security/advisories/GHSA-248r-7h7q-cr24)\n- [NVD Vulnerability Detail: CVE-2026-45411](https://nvd.nist.gov/vuln/detail/CVE-2026-45411)\n- [CVE Record: CVE-2026-45411](https://www.cve.org/CVERecord?id=CVE-2026-45411)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-45411) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-14T21:40:29.000000Z"}, {"uuid": "d1887696-8704-41ac-9d05-4a1471fa6e5f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-45411", "type": "published-proof-of-concept", "source": "https://github.com/patriksimek/vm2/security/advisories/GHSA-248r-7h7q-cr24", "content": "", "creation_timestamp": "2026-05-11T02:18:50.000000Z"}]}