CVE-2026-45411 Overview
CVE-2026-45411 is a sandbox escape vulnerability in vm2, an open source virtual machine and sandbox library for Node.js. Versions prior to 3.11.3 improperly handle host exceptions thrown inside async generators. Attackers can use the yield* expression to catch a host exception and execute arbitrary commands on the host system. The vulnerability falls under [CWE-668] Exposure of Resource to Wrong Sphere and breaks the core security boundary that vm2 is designed to enforce.
Critical Impact
Successful exploitation allows attackers to escape the vm2 sandbox and execute arbitrary code on the host with the privileges of the Node.js process.
Affected Products
- vm2 (npm package) versions prior to 3.11.3
- Node.js applications that execute untrusted code inside vm2 sandboxes
- Server-side platforms relying on vm2 for code isolation
Discovery Timeline
- 2026-05-13 - CVE-2026-45411 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-45411
Vulnerability Analysis
The vm2 library isolates untrusted JavaScript code by wrapping host objects with proxies and intercepting cross-boundary operations. The sandbox depends on preventing untrusted code from obtaining direct references to host objects or unhandled host exceptions.
In versions prior to 3.11.3, the runtime exposes a host-side exception object to sandboxed code through the async generator return path. Once the sandbox holds a reference to a host object, it can walk the prototype chain to reach the host Function constructor and call arbitrary host code. The result is a full sandbox escape from network-reachable, unauthenticated attacker-controlled input.
Root Cause
The flaw stems from how vm2 handles closure of an async generator that contains a yield* expression. When the generator is closed using its return function, the yielded value is awaited. If the awaited then call throws, the runtime catches the exception and passes it back to the yield* iterator as the next value. The exception object originates from the host realm and is delivered to sandboxed code without being wrapped or sanitized, breaking realm isolation.
Attack Vector
An attacker supplies JavaScript that runs inside a vm2 sandbox. The payload defines an async generator using yield* against an iterator whose then method throws. Closing the generator triggers the unsanitized delivery of the host exception. The attacker reads properties from that host object to reach the host Function constructor and invoke child_process.exec or equivalent APIs. No authentication or user interaction is required when sandboxed code execution is exposed over a network service.
No verified public proof-of-concept code is included in this advisory. Refer to the GitHub Security Advisory GHSA-248r-7h7q-cr24 for the upstream technical description.
Detection Methods for CVE-2026-45411
Indicators of Compromise
- Node.js processes spawning unexpected child processes such as /bin/sh, bash, cmd.exe, or powershell.exe shortly after evaluating sandboxed input
- Outbound network connections from a Node.js host to attacker infrastructure following sandbox execution
- Unexpected file writes by the Node.js process outside its working directory
Detection Strategies
- Inventory all applications using the vm2 npm package and flag versions earlier than 3.11.3 through software composition analysis
- Monitor for sandboxed code that combines async function*, yield*, and custom thenable objects, which matches the exploit pattern
- Alert on Node.js parent processes spawning shells or interpreters, which is anomalous for most sandbox workloads
Monitoring Recommendations
- Collect process creation telemetry from Node.js hosts and forward to a SIEM for correlation against sandbox execution events
- Enable Node.js audit logging or --inspect instrumentation in development to capture suspicious VM evaluations
- Track egress traffic from servers running vm2 workloads and baseline normal destinations
How to Mitigate CVE-2026-45411
Immediate Actions Required
- Upgrade the vm2 dependency to version 3.11.3 or later across all production, staging, and development environments
- Audit code paths that pass untrusted input to vm2 and disable or gate them until the upgrade is verified
- Rotate secrets accessible to any host that ran a vulnerable vm2 build exposed to untrusted input
Patch Information
The maintainers fixed the issue in vm2 version 3.11.3. The patch corrects exception handling for async generators so host exceptions thrown from the then call are no longer passed unsanitized to the yield* iterator. See the GitHub Security Advisory GHSA-248r-7h7q-cr24 for full advisory details.
Workarounds
- Migrate to a maintained sandbox alternative such as isolated-vm, which uses V8 isolates for stronger separation
- Run Node.js processes that execute untrusted code inside containers or microVMs with seccomp, AppArmor, or gVisor restrictions
- Drop process privileges, restrict filesystem access, and block outbound network access for sandbox host processes
# Configuration example
npm install vm2@^3.11.3
npm ls vm2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
