vm2 CVE-2026-44005
CRITICAL
GHSA-vwrp-x96c-mhwq
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 29 npm packages depend on vm2 (7 direct, 22 indirect)
Ecosystem-wide dependent count for version 3.9.6.
DescriptionNVD
Summary
vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox.
Details
BaseHandler.apply() unwraps sandbox-controlled receivers and arguments with otherFromThis() / otherFromThisArguments() and then directly invokes the real host function with ret = otherReflectApply(object, context, args), so any default-exposed host function that can surface a prototype getter becomes a prototype-walking primitive (lib/bridge.js:665-676). BaseHandler.get() special-cases __proto__ and returns the host-side descriptor or proxy target prototype, which is enough for the attacker to reuse the host __lookupGetter__('__proto__') accessor repeatedly until the walk lands on host Object.prototype, Array.prototype, or Function.prototype (lib/bridge.js:590-616). Once the attacker has a proxy to a host intrinsic prototype, BaseHandler.set() performs value = otherFromThis(value); return otherReflectSet(object, key, value) === true;, which writes attacker-controlled data directly into the shared host object instead of keeping the mutation sandbox-local; BaseHandler.defineProperty() repeats the same design at otherReflectDefineProperty(object, prop, otherDesc) for descriptor-based writes (lib/bridge.js:641-649, lib/bridge.js:753-774). Existing validation does not stop the attack because the constructor filter only blocks one dangerous-property access pattern, setPrototypeOf() only blocks prototype replacement rather than ordinary property assignment, and containsDangerousConstructor() only protects one later re-unwrapping path instead of the initial host-prototype write sink (lib/bridge.js:494-530, lib/bridge.js:595-610, lib/bridge.js:660-662).
PoC
Run the following code snippet and observe that the value of vm2EscapeMarker is polluted:
const { VM } = require('vm2');
const vm = new VM();
vm.run(`
const g = ({}).__lookupGetter__;
const a = Buffer.apply;
const p = a.apply(g, [Buffer, ['__proto__']]);
const hostObjectProto = p.call(p.call(p.call(p.call(Buffer.of()))));
hostObjectProto.vm2EscapeMarker = 'polluted-object-prototype';
`);
console.log({}.vm2EscapeMarker)Impact
Sandbox escape and prototype pollution.
AnalysisAI
vm2 npm package versions 3.9.6 through 3.10.5 allow sandbox escape through prototype pollution of host-realm intrinsic objects. Attackers execute arbitrary code by leveraging flawed proxy bridge implementation that writes sandbox mutations directly to shared host Object.prototype, Array.prototype, and Function.prototype instead of isolating changes to the sandbox realm. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all applications and dependencies using vm2 versions 3.9.6 through 3.10.5 via software composition analysis or npm audit. Within 7 days: Upgrade vm2 to version 3.11.0 or later across all development, staging, and production environments. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today