CVE-2026-45411: CVE-2026-45411: Remote Code Execution via Sandbox Escape in vm2 Async Generator Implementation

CVE-2026-45411: Remote Code Execution via Sandbox Escape in vm2 Async Generator Implementation

Vulnerability ID: CVE-2026-45411
CVSS Score: 9.8
Published: 2026-05-14

CVE-2026-45411 is a critical sandbox breakout vulnerability in the vm2 library for Node.js, allowing attackers to achieve remote code execution on the host system. The flaw stems from an inconsistency in how the V8 JavaScript engine handles async generators during delegation and abrupt completions, enabling an attacker to smuggle a host-realm error object into the sandbox.

TL;DR

A critical vulnerability in vm2 (CVE-2026-45411, CVSS 9.8) allows sandbox escape and host RCE via V8 engine async generator handling. Versions prior to 3.11.3 are affected.

---

⚠️ Exploit Status: POC

Technical Details

• Vulnerability Class: Sandbox Breakout / Escape
• CWE IDs: CWE-668, CWE-913
• CVSS v3.1 Base Score: 9.8
• Attack Vector: Network
• Exploit Status: Proof of Concept Available
• EPSS Percentile: 17.01%
• CISA KEV Listed: No

Affected Systems

• Node.js environments utilizing vm2 versions < 3.11.3 for untrusted code execution
• vm2: < 3.11.3 (Fixed in: 3.11.3)

Code Analysis

Commit: 093494c

Fix async generator sandbox breakout vulnerability by isolating exceptions and sanitizing thenable arguments

Changes to lib/setup-sandbox.js implementing sanitizeThenableArg, safeThen, and AsyncGeneratorPrototype method wrapping

Exploit Details

• GitHub Security Advisory: Public disclosure containing the proof-of-concept for the RangeError stack overflow escape.

Mitigation Strategies

• Upgrade vm2 to patched version 3.11.3
• Implement defense-in-depth via OS-level containerization (Docker/LXC)
• Enforce strict seccomp profiles on the Node.js process executing untrusted code
• Run the Node.js process executing vm2 with minimum required privileges

Remediation Steps:

1. Audit dependency trees using npm ls vm2 or yarn why vm2 to locate all instances of the package.
2. Update direct dependencies in package.json to point to ^3.11.3.
3. Use dependency resolution overrides (e.g., npm overrides or yarn resolutions) to force transitive dependencies to use version 3.11.3.
4. Rebuild package lockfiles and deploy the updated application to staging environments.
5. Execute functional tests to verify the setup-sandbox.js changes do not break legitimate async generator usage.
6. Deploy the updated application to production environments.

References

• GitHub Advisory: GHSA-248r-7h7q-cr24
• NVD Vulnerability Detail: CVE-2026-45411
• CVE Record: CVE-2026-45411

---

Read the full report for CVE-2026-45411 on our website for more details including interactive diagrams and full exploit analysis.