vm2 CVE-2026-44005
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
Primary rating from Vendor (https://github.com/patriksimek/vm2).
CVSS VectorVendor: https://github.com/patriksimek/vm2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 29 npm packages depend on vm2 (7 direct, 22 indirect)
Ecosystem-wide dependent count for version 3.9.6.
DescriptionCVE.org
Summary
vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox.
Details
BaseHandler.apply() unwraps sandbox-controlled receivers and arguments with otherFromThis() / otherFromThisArguments() and then directly invokes the real host function with ret = otherReflectApply(object, context, args), so any default-exposed host function that can surface a prototype getter becomes a prototype-walking primitive (lib/bridge.js:665-676). BaseHandler.get() special-cases __proto__ and returns the host-side descriptor or proxy target prototype, which is enough for the attacker to reuse the host __lookupGetter__('__proto__') accessor repeatedly until the walk lands on host Object.prototype, Array.prototype, or Function.prototype (lib/bridge.js:590-616). Once the attacker has a proxy to a host intrinsic prototype, BaseHandler.set() performs value = otherFromThis(value); return otherReflectSet(object, key, value) === true;, which writes attacker-controlled data directly into the shared host object instead of keeping the mutation sandbox-local; BaseHandler.defineProperty() repeats the same design at otherReflectDefineProperty(object, prop, otherDesc) for descriptor-based writes (lib/bridge.js:641-649, lib/bridge.js:753-774). Existing validation does not stop the attack because the constructor filter only blocks one dangerous-property access pattern, setPrototypeOf() only blocks prototype replacement rather than ordinary property assignment, and containsDangerousConstructor() only protects one later re-unwrapping path instead of the initial host-prototype write sink (lib/bridge.js:494-530, lib/bridge.js:595-610, lib/bridge.js:660-662).
PoC
Run the following code snippet and observe that the value of vm2EscapeMarker is polluted:
const { VM } = require('vm2');
const vm = new VM();
vm.run(`
const g = ({}).__lookupGetter__;
const a = Buffer.apply;
const p = a.apply(g, [Buffer, ['__proto__']]);
const hostObjectProto = p.call(p.call(p.call(p.call(Buffer.of()))));
hostObjectProto.vm2EscapeMarker = 'polluted-object-prototype';
`);
console.log({}.vm2EscapeMarker)Impact
Sandbox escape and prototype pollution.
AnalysisAI
vm2 npm package versions 3.9.6 through 3.10.5 allow sandbox escape through prototype pollution of host-realm intrinsic objects. Attackers execute arbitrary code by leveraging flawed proxy bridge implementation that writes sandbox mutations directly to shared host Object.prototype, Array.prototype, and Function.prototype instead of isolating changes to the sandbox realm. This vulnerability was patched in vm2 v3.11.0 as part of a coordinated release addressing 13 security advisories. Publicly available exploit code exists with minimal attack complexity (CVSS AC:L) requiring no authentication or user interaction (AV:N/PR:N/UI:N).
Technical ContextAI
vm2 is a widely-used npm sandbox library for executing untrusted JavaScript in isolated VM contexts. The vulnerability exploits the realm-bridging proxy implementation in lib/bridge.js. BaseHandler.apply() unwraps sandbox-controlled receivers/arguments with otherFromThis() and directly invokes host functions via otherReflectApply(). Attackers chain __lookupGetter__('__proto__') calls through exposed Buffer.apply to walk from sandbox objects to host-realm intrinsic prototypes (Object.prototype, Array.prototype, Function.prototype). Once holding a proxy to host intrinsics, BaseHandler.set() and BaseHandler.defineProperty() forward writes to the real host objects using otherReflectSet() and otherReflectDefineProperty() without sandbox isolation. CWE-94 (Improper Control of Generation of Code) applies because the proxy bridge fails to enforce realm separation, allowing sandbox code to modify shared prototype chains that affect host-realm execution. The npm CPE pkg:npm/vm2 identifies the affected package; the vulnerability exists in the proxy handler design that was supposed to bridge sandboxed and host realms but instead created a bidirectional mutation channel.
RemediationAI
Upgrade to vm2 version 3.11.0 immediately per the vendor advisory at https://github.com/patriksimek/vm2/security/advisories/GHSA-vwrp-x96c-mhwq and release notes at https://github.com/patriksimek/vm2/releases/tag/v3.11.0. However, the vm2 project was officially deprecated in 2023 with maintainers recommending migration to isolated-vm (https://github.com/laverdet/isolated-vm) which provides true V8 isolate-level separation rather than proxy-based realm bridging. Organizations should prioritize full replacement over patching given vm2's end-of-life status and the discovery of 13 concurrent security vulnerabilities in the same release cycle. If immediate migration is not feasible, apply v3.11.0 as a temporary measure and implement defense-in-depth: disable Buffer exposure in VM instances (compromises some legitimate use cases but blocks the PoC's Buffer.apply primitive), run VM-executing Node.js processes under restrictive OS-level sandboxes (seccomp-bpf, AppArmor, or containers with minimal privileges) to limit post-exploitation impact, and implement resource limits via the new bufferAllocLimit option in v3.11.0 to mitigate related DoS vectors. Monitor for prototype pollution side effects by adding runtime checks for unexpected properties on Object.prototype/Array.prototype/Function.prototype. All mitigations except full replacement carry trade-offs: disabling Buffer breaks legitimate use cases, OS sandboxing adds operational complexity, and runtime pollution checks only detect rather than prevent exploitation.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-vwrp-x96c-mhwq