SCA: security update for vm2 (GHSA-mpf8-4hx2-7cjg)

high Tenable Cloud Security Plugin ID 441476

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox boundary violation in vm2 allows
host object identity to cross into the sandbox through host Promise resolution. When a host-side Promise
that resolves to a host object is exposed to the sandbox, the value delivered to the sandbox .then()
callback preserves host identity. This allows the sandbox to interact with the host object directly,
including performing identity checks using host-side WeakMap and mutating host object state from inside
the sandbox. This behavior occurs because the Promise fulfillment wrapper uses ensureThis() instead of the
stronger cross-realm conversion path (from() / proxy wrapping). If no prototype mapping is found,
ensureThis() returns the original object. As a result, objects resolved by host Promises can cross the
sandbox boundary without proper isolation. This vulnerability is fixed in 3.11.0. (CVE-2026-44000)

Solution

Update the vm2 library and its related packages to version 3.11.0 or later.

See Also

https://github.com/advisories/GHSA-mpf8-4hx2-7cjg

Plugin Details

Severity: High

ID: 441476

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 5/7/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.4

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-44000

CVSS v3

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/7/2026

Vulnerability Publication Date: 5/7/2026

Reference Information

CVE: CVE-2026-44000