Lmst
Login

#vm2

Olly ๐Ÿ‘พOlly42@nerdculture.de
2026-02-02

:javascript: Critical vm2 Node.js Flaw allows Sandbox Escape and Arbitrary Code Execution.

A critical sandbox escape vulnerability has been disclosed in the popular vm2 Node.js library that, if successfully exploited, could allow attackers to run arbitrary code on the underlying operating system.

โ‰๏ธThe vulnerability, tracked as CVE-2026-22709, carries a CVSS score of 9.8 out of 10.0 on the CVSS scoring system.โ‰๏ธ

endorlabs.com/learn/cve-2026-2

#vm2 #nodejs #sandbox #escape #arbitrary #code #execution #it #security #privacy #engineer #media #secure #javascript #programming #developer #tech #news

โ‰๏ธ"In vm2 for version 3.10.0, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed," vm2 maintainer Patrik Simek said. "This allows attackers to escape the sandbox and run arbitrary code."โ‰๏ธ <https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8> vm2 is a Node.js library used to run untrusted code within a secure sandboxed environment by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host environment. <https://github.com/patriksimek/vm2> <https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Proxy> The newly discovered flaw stems from the library's improper sanitization of Promise handlers, which creates an escape vector that results in the execution of arbitrary code outside the sandbox boundaries. <https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise> "The critical insight is that async functions in JavaScript return `globalPromise` objects, not `localPromise` objects. Since `globalPromise.prototype.then` and `globalPromise.prototype.catch` are not properly sanitized [unlike `localPromise`]," Endor Labs researchers Peyton Kennedy and Cris Staicu said. ๐Ÿ‘พIn light of the criticality of the flaw, users are recommended to update to the most recent version [3.10.3], which comes with fixes for additional sandbox escapes.๐Ÿ‘พ <https://github.com/patriksimek/vm2/releases/tag/v3.10.3>
The New Oilthenewoil@mastodon.thenewoil.org
2026-01-28

Critical sandbox escape flaw found in popular #vm2 #NodeJS library

bleepingcomputer.com/news/secu

#cybersecurity

Judeau (EatTheRich)Judeau@mas.to
2025-05-15

The #Sega #Dreamcast #VMUPro just went live for pre-orders on #8BitMods website.

I secured a smoke black one.

It ships in October and with 8 day Royal Mail came to $97.00 here in the states.

This thing seems so cool and its features appeal to me more than the #VM2 that was released by Dreamware.

#Gaming #VideoGames #RetroGaming

A picture of the Smoke Black VMU Pro for the Dreamcast. It is an enhanced memory card and details everything it can do. One exciting feature is the ability to play 8 bit emulators!
Sam Steele ๐Ÿณ๏ธโ€๐ŸŒˆ ๐ŸŽฎ ๐Ÿ“ธ ๐Ÿ‘จโ€๐Ÿ’ปsam@mastodon.c99.org
2024-11-17

Finally got around to swapping the buttons on my VM2 with the ones from my original SEGA VMU. They really feel so much nicer, and I prefer the color of the original buttons too.

#SEGA #Dreamcast #RetroGaming #VMU #VM2 #SkiesOfArcadia #PintasQuest #Gaming

DreamMods VM2 displaying a screen from the Pinta's Quest mini game. The dark grey buttons have been replaced by the blueish-grey buttons from an original VMU.
Judeau (EatTheRich)Judeau@mas.to
2024-06-26

Lets Goooooooooooo!

Almost a year and a half ago (!!!!) I ordered the #VM2, a next generation #VMU for the #Sega #Dreamcast!

The device, made by Dreamware Enterprises, has finally made its way to my doorstep!

Unfortunately this afternoon is completely booked. ๐Ÿ˜”

Hopefully I'll get some time to tinker around with it later tonight.

#Gaming #VideoGames #Games #RetroGaming #RetroGames

The front of the VM2 box. The box has a clear window so you can see the VM2. The box is mostly in blue and has a picture of a Dreamcast controller.The back of the vm2 box. Apparently it's more than a memory card, so it boasts. It shows a line drawing of the vm2 and a breakdown of its exposed pieces. And then goes on to detail the features of the device.
Sam Steele ๐Ÿณ๏ธโ€๐ŸŒˆ ๐ŸŽฎ ๐Ÿ“ธ ๐Ÿ‘จโ€๐Ÿ’ปsam@mastodon.c99.org
2024-03-16

Chao Adventure is a lot more fun when you don't have to worry about replacing the batteries

#SEGA #Dreamcast #RetroGaming #gaming #Dreamware #VM2 #SonicAdventure #ChaoAdventure

Dreamware Enterprises VM2 playing Chao Adventure, with a SEGA Dreamcast in the background
Judeau (EatTheRich)Judeau@mas.to
2024-02-01

@SuperSelena64 Been waiting on the #VM2 for so long...

I should be included in the next shipment or two. I can't wait!

Judeau (EatTheRich)Judeau@mas.to
2023-12-01

The wait is agonizing!

Another batch of the #VM2 have shipped out.

I was really hoping that I would have mine by Christmas but at this rate it like it will be February or March.

My order number is 17xx and other than the first shipment they are steadily shipping only 200-ish a month.

The anticipation is brutal but I just need to be patient. Mine will ship eventually.

#VMU #Sega #Dreamcast #RetroGaming #VideoGames

A picture detailing the batches of Dreamcast VM2s that have been shipped out. The first batch was 460 units and every month thereafter has been just over 200.
Judeau (EatTheRich)Judeau@mas.to
2023-09-01

The VM2 has begun to ship!!!

Orders 1 - 461 are currently shipping. I'm 1,7XX...

They are continuously shipping through the month. Hopefully I will have mine in the next few weeks.

#Sega #Dreamcast #SegaDreamcast #VM2 #Gaming #VideoGames #Games #RetroGaming #RetroGames

A message stating that the VMU2 has begun to ship to backers. Starting with 1-461!
iCyberFighteriCyberFighter@infosec.exchange
2023-04-20

๐Ÿšจโ€‹ [#PatchNow] New VM2 #SandboxEscape... Two critical vulns are out in the #VM2 #Sandbox Library. These flaws affect all versions prior to 3.9.17 and both carry a CVSS score of 9.8.

If exploited, a threat actor could escape protection boundaries and execute arbitrary code. A patch has been released. so get it and update: bleepingcomputer.com/news/secu.

These two CVEs (CVE-2023-29199 and CVE-2023-30547) were discovered by Seung Hyun Lee.

nvd.nist.gov/vuln/detail/CVE-2

nvd.nist.gov/vuln/detail/CVE-2

#infosec #patchmanagement #riskmitigation

Mustafa Kaan Demirhanmstfknn
2023-04-19

๐Ÿšจ JavaScript library users, update now! Critical flaws (CVE-2023-29199 & CVE-2023-30547) could lead to remote code execution. Patch available in versions 3.9.16 & 3.9.17. Protect against sandbox bypass! More info: thehackernews.com/2023/04/crit

iCyberFighteriCyberFighter@infosec.exchange
2023-04-11

[#PatchNow] A critical vulnerability in #VM2 Sandbox Library is a flaw affecting all versions with CVSS score of 9.8. If exploited, it could allow a threat actor to escape protection boundaries and execute arbitrary code on target systems. This is patched in version 3.9.15.

github.com/patriksimek/vm2/sec

thehackernews.com/2023/04/rese | #infosec #vuln #patchmanagement

Marcel SIneM(S)USsimsus@social.tchncs.de
2023-04-11

#Exploit-Code: Schadcode kรถnnte aus #JavaScript-Sandbox #vm2 ausbrechen | Security heise.de/news/Exploit-Code-Sch #Patchday

securityaffairssecurityaffairs@infosec.exchange
2023-04-09

Researchers disclose critical #sandbox escape bug in #vm2 sandbox library
securityaffairs.com/144582/hac
#securityaffairs #hacking

ITSEC Newsitsecbot@schleuss.online
2023-04-09

Popular server-side JavaScript security sandbox โ€œvm2โ€ patches remote execution hole - The security error was in the error handling system that was supposed to catch potential ... nakedsecurity.sophos.com/2023/ #vulnerability #exploit #sandbox #rce #vm2

Marc Fritschemarcphisto@mastodon.ie
2022-11-10

a bit of Sultans to finish, nice. #VM2 #MUNvSA

Client Info

Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst