Skip to main content

vm2 CVE-2026-44005

CRITICAL
Code Injection (CWE-94)
2026-05-07 https://github.com/patriksimek/vm2 GHSA-vwrp-x96c-mhwq
10.0
CVSS 3.1 · Vendor: https://github.com/patriksimek/vm2
Share

Severity by source

Vendor (https://github.com/patriksimek/vm2) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
Red Hat
10.0 HIGH
qualitative

Primary rating from Vendor (https://github.com/patriksimek/vm2).

CVSS VectorVendor: https://github.com/patriksimek/vm2

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 04:31 vuln.today
Analysis Generated
May 07, 2026 - 04:31 vuln.today
CVE Published
May 07, 2026 - 04:07 nvd
CRITICAL 10.0

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 29 npm packages depend on vm2 (7 direct, 22 indirect)

Ecosystem-wide dependent count for version 3.9.6.

DescriptionCVE.org

Summary

vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox.

Details

BaseHandler.apply() unwraps sandbox-controlled receivers and arguments with otherFromThis() / otherFromThisArguments() and then directly invokes the real host function with ret = otherReflectApply(object, context, args), so any default-exposed host function that can surface a prototype getter becomes a prototype-walking primitive (lib/bridge.js:665-676). BaseHandler.get() special-cases __proto__ and returns the host-side descriptor or proxy target prototype, which is enough for the attacker to reuse the host __lookupGetter__('__proto__') accessor repeatedly until the walk lands on host Object.prototype, Array.prototype, or Function.prototype (lib/bridge.js:590-616). Once the attacker has a proxy to a host intrinsic prototype, BaseHandler.set() performs value = otherFromThis(value); return otherReflectSet(object, key, value) === true;, which writes attacker-controlled data directly into the shared host object instead of keeping the mutation sandbox-local; BaseHandler.defineProperty() repeats the same design at otherReflectDefineProperty(object, prop, otherDesc) for descriptor-based writes (lib/bridge.js:641-649, lib/bridge.js:753-774). Existing validation does not stop the attack because the constructor filter only blocks one dangerous-property access pattern, setPrototypeOf() only blocks prototype replacement rather than ordinary property assignment, and containsDangerousConstructor() only protects one later re-unwrapping path instead of the initial host-prototype write sink (lib/bridge.js:494-530, lib/bridge.js:595-610, lib/bridge.js:660-662).

PoC

Run the following code snippet and observe that the value of vm2EscapeMarker is polluted:

const { VM } = require('vm2');
const vm = new VM();
vm.run(`
  const g = ({}).__lookupGetter__;
  const a = Buffer.apply;
  const p = a.apply(g, [Buffer, ['__proto__']]);
  const hostObjectProto = p.call(p.call(p.call(p.call(Buffer.of()))));
  hostObjectProto.vm2EscapeMarker = 'polluted-object-prototype';
`);
console.log({}.vm2EscapeMarker)

Impact

Sandbox escape and prototype pollution.

AnalysisAI

vm2 npm package versions 3.9.6 through 3.10.5 allow sandbox escape through prototype pollution of host-realm intrinsic objects. Attackers execute arbitrary code by leveraging flawed proxy bridge implementation that writes sandbox mutations directly to shared host Object.prototype, Array.prototype, and Function.prototype instead of isolating changes to the sandbox realm. This vulnerability was patched in vm2 v3.11.0 as part of a coordinated release addressing 13 security advisories. Publicly available exploit code exists with minimal attack complexity (CVSS AC:L) requiring no authentication or user interaction (AV:N/PR:N/UI:N).

Technical ContextAI

vm2 is a widely-used npm sandbox library for executing untrusted JavaScript in isolated VM contexts. The vulnerability exploits the realm-bridging proxy implementation in lib/bridge.js. BaseHandler.apply() unwraps sandbox-controlled receivers/arguments with otherFromThis() and directly invokes host functions via otherReflectApply(). Attackers chain __lookupGetter__('__proto__') calls through exposed Buffer.apply to walk from sandbox objects to host-realm intrinsic prototypes (Object.prototype, Array.prototype, Function.prototype). Once holding a proxy to host intrinsics, BaseHandler.set() and BaseHandler.defineProperty() forward writes to the real host objects using otherReflectSet() and otherReflectDefineProperty() without sandbox isolation. CWE-94 (Improper Control of Generation of Code) applies because the proxy bridge fails to enforce realm separation, allowing sandbox code to modify shared prototype chains that affect host-realm execution. The npm CPE pkg:npm/vm2 identifies the affected package; the vulnerability exists in the proxy handler design that was supposed to bridge sandboxed and host realms but instead created a bidirectional mutation channel.

RemediationAI

Upgrade to vm2 version 3.11.0 immediately per the vendor advisory at https://github.com/patriksimek/vm2/security/advisories/GHSA-vwrp-x96c-mhwq and release notes at https://github.com/patriksimek/vm2/releases/tag/v3.11.0. However, the vm2 project was officially deprecated in 2023 with maintainers recommending migration to isolated-vm (https://github.com/laverdet/isolated-vm) which provides true V8 isolate-level separation rather than proxy-based realm bridging. Organizations should prioritize full replacement over patching given vm2's end-of-life status and the discovery of 13 concurrent security vulnerabilities in the same release cycle. If immediate migration is not feasible, apply v3.11.0 as a temporary measure and implement defense-in-depth: disable Buffer exposure in VM instances (compromises some legitimate use cases but blocks the PoC's Buffer.apply primitive), run VM-executing Node.js processes under restrictive OS-level sandboxes (seccomp-bpf, AppArmor, or containers with minimal privileges) to limit post-exploitation impact, and implement resource limits via the new bufferAllocLimit option in v3.11.0 to mitigate related DoS vectors. Monitor for prototype pollution side effects by adding runtime checks for unexpected properties on Object.prototype/Array.prototype/Function.prototype. All mitigations except full replacement carry trade-offs: disabling Buffer breaks legitimate use cases, OS sandboxing adds operational complexity, and runtime pollution checks only detect rather than prevent exploitation.

Vendor StatusVendor

Share

CVE-2026-44005 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy