Skip to main content

VM2 CVE-2026-44009

CRITICAL
Exposure of Resource to Wrong Sphere (CWE-668)
2026-05-08 https://github.com/patriksimek/vm2 GHSA-9vg3-4rfj-wgcm
9.8
CVSS 3.1 · Vendor: https://github.com/patriksimek/vm2
Share

Severity by source

Vendor (https://github.com/patriksimek/vm2) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
9.8 HIGH
qualitative

Primary rating from Vendor (https://github.com/patriksimek/vm2).

CVSS VectorVendor: https://github.com/patriksimek/vm2

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 17:00 vuln.today
Analysis Generated
May 08, 2026 - 17:00 vuln.today
CVE Published
May 08, 2026 - 16:20 nvd
CRITICAL 9.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 8 npm packages depend on vm2 (3 direct, 5 indirect)

Ecosystem-wide dependent count for version 3.11.2.

DescriptionCVE.org

Summary

VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.

Details

In handleException due to `// SECURITY (post-GHSA-mpf8 hardening): use from (not ensureThis) exceptions with a null proto will be assumed to come from the other side and being proxied. Therefore, it is possible to get the proxied and unproxied object of a sandbox object with a null proto when thrown and then catched which allows to get the host Function` object.

PoC

js
const {VM} = require("vm2");
const vm = new VM();
console.log(vm.run(`
const o = {__proto__: null};
try {
	throw o;
} catch (e) {
	e.f = Buffer.prototype.inspect
	o.f.constructor("return process")().mainModule.require('child_process').execSync('touch pwned');
}
`));

Impact

Attackers can perform Remote Code Execution under the assumption that arbitrary code can be executed inside the context of a vm2 sandbox.

AnalysisAI

Remote code execution in VM2 (npm package) allows complete sandbox escape via null-prototype exception handling flaw. Attackers can execute arbitrary system commands on the host by exploiting a logic error in the exception proxy mechanism that incorrectly handles objects with null prototypes. Public exploit code exists and the vulnerability affects all versions prior to 3.11.2. The CVSS 9.8 severity reflects network-accessible, unauthenticated exploitation requiring no user interaction - however, real-world risk depends on whether untrusted users can supply code to the VM2 sandbox in a given deployment.

Technical ContextAI

VM2 is a popular Node.js sandbox library (npm package) designed to execute untrusted JavaScript code in an isolated environment. The vulnerability (CWE-668: Exposure of Resource to Wrong Sphere) exists in the exception handling bridge between the sandbox and host realms. When VM2's handleException function processes exceptions, it uses a heuristic to distinguish sandbox objects from host objects based on prototype chains. The post-GHSA-mpf8 hardening code specifically checks prototypes to decide whether to proxy an exception. However, objects with explicitly null prototypes (__proto__: null) confuse this logic - the exception handler incorrectly treats them as host-realm objects requiring proxying. When such an object is thrown from the sandbox and caught, the attacker receives both the proxied and unproxied references. By manipulating properties on these dual references, attackers can access the host's Function constructor through Buffer.prototype.inspect.constructor, then invoke process.mainModule.require to load child_process and execute arbitrary shell commands. This breaks the fundamental security boundary that VM2 is designed to enforce.

RemediationAI

Upgrade to VM2 version 3.11.2 immediately, as confirmed by the release notes at https://github.com/patriksimek/vm2/releases/tag/v3.11.2. This version patches three critical RCE vulnerabilities including GHSA-9vg3-4rfj-wgcm. Update via npm with 'npm install vm2@3.11.2' or 'npm update vm2' if package.json allows. If immediate patching is impossible, disable or restrict access to any application features that allow untrusted users to submit code for VM2 execution - this is the only effective workaround since the vulnerability is in the core sandbox mechanism. Specifically, implement authentication and authorization controls to limit code execution endpoints to trusted users only, though this reduces the utility of the sandbox. Consider replacing VM2 with alternative sandboxing solutions (isolated-vm, Worker threads with limited capabilities) as VM2 has a history of sandbox escape vulnerabilities and the project's security model may be fundamentally flawed. Review application logs for suspicious child_process executions or file system modifications (e.g., unexpected file creation) that could indicate prior exploitation. Note that version 3.11.2 fixes multiple RCE issues simultaneously, suggesting thorough security review was conducted - however, given the pattern of bypasses, defense-in-depth is essential even after patching.

Vendor StatusVendor

Share

CVE-2026-44009 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy