vm2 CVE-2026-44008
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (https://github.com/patriksimek/vm2).
CVSS VectorVendor: https://github.com/patriksimek/vm2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 8 npm packages depend on vm2 (3 direct, 5 indirect)
Ecosystem-wide dependent count for version 3.11.2.
DescriptionCVE.org
Summary
VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.
Details
The new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and get the host Function object.
PoC
const {VM} = require("vm2");
const vm = new VM();
console.log(vm.run(`
const a = [];
Object.defineProperty(Array.prototype, 0, {
set(value) {
a.f = Buffer.prototype.inspect;
value.arr.f.constructor.constructor("return process")().mainModule.require('child_process').execSync('touch pwned');
}
});
new Buffer(a);
`));Impact
Attackers can perform Remote Code Execution under the assumption that arbitrary code can be executed inside the context of a vm2 sandbox.
AnalysisAI
Remote code execution in vm2 npm package (versions ≤3.11.1) allows attackers to escape the JavaScript sandbox via a prototype pollution technique targeting the neutralizeArraySpeciesBatch method. By installing a setter on Array.prototype[0] and triggering Buffer allocation, attackers gain access to the host Function constructor and can execute arbitrary system commands. Publicly available proof-of-concept exists (GHSA-9qj6-qjgg-37qq). CVSS 9.8 with network vector reflects the risk when vm2 is used to execute untrusted code in server-side applications. Vendor-released patch: vm2 v3.11.2 addresses this and two other concurrent sandbox escapes.
Technical ContextAI
vm2 is a Node.js sandbox library designed to execute untrusted JavaScript code in an isolated context. The vulnerability exists in the neutralizeArraySpeciesBatch method, which was introduced to handle cross-realm object interactions. The flaw is a classic JavaScript prototype pollution leading to sandbox escape: when the sandbox code defines a setter on Array.prototype[0] and then creates a Buffer (which internally creates an array), the setter executes with access to host-realm objects. The setter receives host-side objects via value.arr, exposing Buffer.prototype.inspect. Attackers chain through constructor.constructor to reach the host Function constructor, then use Function('return process')() to access Node.js process object and require('child_process') for system command execution. This exploits CWE-668 (Exposure of Resource to Wrong Sphere) - specifically the failure to maintain proper isolation boundaries between sandbox and host realms. The vulnerability demonstrates that JavaScript proxies, getters/setters, and prototype chains create subtle attack surfaces when building sandboxes in-language rather than via OS/VM isolation.
RemediationAI
Upgrade vm2 to version 3.11.2 immediately, which addresses this vulnerability along with GHSA-9vg3-4rfj-wgcm and GHSA-2cm2-m3w5-gp2f. Download from https://github.com/patriksimek/vm2/releases/tag/v3.11.2 or update via npm with 'npm install vm2@3.11.2'. If immediate upgrade is not feasible, implement compensating controls: (1) run vm2 sandboxes inside OS-level containers (Docker, gVisor) with restricted syscalls, network isolation, and read-only filesystem to limit RCE impact - note this adds operational complexity and does not prevent the escape, only contains damage; (2) avoid passing untrusted code to vm2 until patched - instead process untrusted input as pure data, not executable code; (3) if vm2 processes user-provided code, apply strict input validation to block prototype manipulation patterns (Object.defineProperty, __proto__ assignments, Array.prototype modifications) - this is fragile and bypassable but may block known POCs. Be aware that vm2 maintainers documented the fundamental difficulty of building secure JavaScript sandboxes (see docs/ATTACKS.md in the repository). For high-security use cases, consider migrating to OS/VM-level sandboxes (isolated-vm, Docker, Firecracker) rather than in-language JavaScript sandboxes. Official advisory: https://github.com/advisories/GHSA-9qj6-qjgg-37qq.
Same weakness CWE-668 – Exposure of Resource to Wrong Sphere
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-9qj6-qjgg-37qq