vm2 3.11.3: async gen yield* flaw lets sandbox escape
CVE-2026-45411 Published on May 13, 2026
vm2: Sandbox Breakout Using Async Generator
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the generator is closed using the return function, the value is awaited on and exceptions thrown in the then call will be caught by the runtime and passed to the yield* iterator as the next value. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.3.
Vulnerability Analysis
CVE-2026-45411 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Types
Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Improper Handling of Structural Elements
The software does not handle or incorrectly handles inputs that are related to complex structures.
Products Associated with CVE-2026-45411
stack.watch emails you whenever new vulnerabilities are published in Red Hat Ansible Portal or Red Hat Rhdh. Just hit a watch button to start following.
Affected Versions
patriksimek vm2:- Version < 3.11.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.