Skip to main content

vm2 CVE-2026-44008

CRITICAL
Exposure of Resource to Wrong Sphere (CWE-668)
2026-05-08 https://github.com/patriksimek/vm2 GHSA-9qj6-qjgg-37qq
9.8
CVSS 3.1 · Vendor: https://github.com/patriksimek/vm2
Share

Severity by source

Vendor (https://github.com/patriksimek/vm2) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
9.8 HIGH
qualitative

Primary rating from Vendor (https://github.com/patriksimek/vm2).

CVSS VectorVendor: https://github.com/patriksimek/vm2

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 16:33 vuln.today
Analysis Generated
May 08, 2026 - 16:33 vuln.today
CVE Published
May 08, 2026 - 15:58 nvd
CRITICAL 9.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 8 npm packages depend on vm2 (3 direct, 5 indirect)

Ecosystem-wide dependent count for version 3.11.2.

DescriptionCVE.org

Summary

VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.

Details

The new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and get the host Function object.

PoC

js
const {VM} = require("vm2");
const vm = new VM();
console.log(vm.run(`
const a = [];
Object.defineProperty(Array.prototype, 0, {
	set(value) {
		a.f = Buffer.prototype.inspect;
		value.arr.f.constructor.constructor("return process")().mainModule.require('child_process').execSync('touch pwned');
	}
});
new Buffer(a);
`));

Impact

Attackers can perform Remote Code Execution under the assumption that arbitrary code can be executed inside the context of a vm2 sandbox.

AnalysisAI

Remote code execution in vm2 npm package (versions ≤3.11.1) allows attackers to escape the JavaScript sandbox via a prototype pollution technique targeting the neutralizeArraySpeciesBatch method. By installing a setter on Array.prototype[0] and triggering Buffer allocation, attackers gain access to the host Function constructor and can execute arbitrary system commands. Publicly available proof-of-concept exists (GHSA-9qj6-qjgg-37qq). CVSS 9.8 with network vector reflects the risk when vm2 is used to execute untrusted code in server-side applications. Vendor-released patch: vm2 v3.11.2 addresses this and two other concurrent sandbox escapes.

Technical ContextAI

vm2 is a Node.js sandbox library designed to execute untrusted JavaScript code in an isolated context. The vulnerability exists in the neutralizeArraySpeciesBatch method, which was introduced to handle cross-realm object interactions. The flaw is a classic JavaScript prototype pollution leading to sandbox escape: when the sandbox code defines a setter on Array.prototype[0] and then creates a Buffer (which internally creates an array), the setter executes with access to host-realm objects. The setter receives host-side objects via value.arr, exposing Buffer.prototype.inspect. Attackers chain through constructor.constructor to reach the host Function constructor, then use Function('return process')() to access Node.js process object and require('child_process') for system command execution. This exploits CWE-668 (Exposure of Resource to Wrong Sphere) - specifically the failure to maintain proper isolation boundaries between sandbox and host realms. The vulnerability demonstrates that JavaScript proxies, getters/setters, and prototype chains create subtle attack surfaces when building sandboxes in-language rather than via OS/VM isolation.

RemediationAI

Upgrade vm2 to version 3.11.2 immediately, which addresses this vulnerability along with GHSA-9vg3-4rfj-wgcm and GHSA-2cm2-m3w5-gp2f. Download from https://github.com/patriksimek/vm2/releases/tag/v3.11.2 or update via npm with 'npm install vm2@3.11.2'. If immediate upgrade is not feasible, implement compensating controls: (1) run vm2 sandboxes inside OS-level containers (Docker, gVisor) with restricted syscalls, network isolation, and read-only filesystem to limit RCE impact - note this adds operational complexity and does not prevent the escape, only contains damage; (2) avoid passing untrusted code to vm2 until patched - instead process untrusted input as pure data, not executable code; (3) if vm2 processes user-provided code, apply strict input validation to block prototype manipulation patterns (Object.defineProperty, __proto__ assignments, Array.prototype modifications) - this is fragile and bypassable but may block known POCs. Be aware that vm2 maintainers documented the fundamental difficulty of building secure JavaScript sandboxes (see docs/ATTACKS.md in the repository). For high-security use cases, consider migrating to OS/VM-level sandboxes (isolated-vm, Docker, Firecracker) rather than in-language JavaScript sandboxes. Official advisory: https://github.com/advisories/GHSA-9qj6-qjgg-37qq.

Vendor StatusVendor

Share

CVE-2026-44008 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy