Improper Validation of Array Index Affecting vm2 package, versions >=3.11.0 <3.11.4


Severity

Recommended
0.0
low
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-VM2-17111162
  • published31 May 2026
  • disclosed29 May 2026
  • creditfg0x0

Introduced: 29 May 2026

CVE NOT AVAILABLE CWE-129  (opens in a new tab)

How to fix?

Upgrade vm2 to version 3.11.4 or higher.

Overview

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Improper Validation of Array Index through the defaultSandboxPrepareStackTrace function in lib/setup-sandbox.js. An attacker can observe or rewrite error.stack output by installing a setter on Array.prototype[N] or overriding Array.prototype.join before triggering stack formatting. The sandbox’s stack-trace formatter builds the stack in a sandbox-realm array and then joins it, so untrusted code can intercept the bridge-internal frame list and alter the string returned to application code.

CVSS Base Scores

version 4.0
version 3.1