CRITICAL🇵🇱 Wersja polska

CVE-2026-44005

CVSS 10.0v3.1pub. 2026-05-13upd. 2026-06-30

vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox This vulnerability is fixed in 3.11.0.

🤖 AI Analysis
How it works

The vm2 bridge exposes modifiable proxies pointing to actual host environment prototypes inside the sandbox. When code in the sandbox performs a write operation on such a proxy, vm2 passes this operation directly to the host objects using internal otherReflectSet() and otherReflectDefineProperty() functions. As a result, an attacker can modify global JavaScript host prototypes from the default VM or inheriting NodeVM level, which constitutes a classic prototype pollution attack that breaks out of the sandbox boundaries.

Impact

An attacker can modify shared host prototypes (Object.prototype, Array.prototype, Function.prototype), which can lead to application malfunction, unintended code execution in the host context, and compromise of integrity and availability of the entire Node.js process.

Mitigation & patch

vm2 should be updated to version 3.11.0, in which the vulnerability has been fixed. If immediate update is not possible, untrusted code execution within vm2 should be restricted or discontinued entirely until the patch is deployed.

Who is affected

vm2 in versions from 3.9.6 to 3.10.5 (inclusive) for Node.js

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
  • Vm2 Project Vm2

    APP
    Vm2 Project
    3.9.6 – 3.11.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-44006CRITICAL10.0PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez BaseHandler.getPrototypeOf (RCE)

CVE-2026-44007CRITICAL9.1PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)

CVE-2026-43997CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandboxa w bibliotece vm2 dla Node.js (RCE)

CVE-2026-43999CRITICAL9.9PL ✓ten sam produkt

vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'

CVE-2026-44008CRITICAL9.8PL ✓ten sam produkt

Ucieczka z sandboxu vm2 poprzez getter na prototypie tablicy