CVE-2026-44005

CRITICAL

vm2: Sandbox escape

Title source: cna
STIX 2.1

Description

vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox This vulnerability is fixed in 3.11.0.

Scores

CVSS v3 10.0
EPSS 0.0084
EPSS Percentile 53.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-1321 CWE-653 CWE-94
Status published
Products (3)
npm/vm2 3.9.6 - 3.11.0npm
patriksimek/vm2 >= 3.9.6, < 3.11.0
vm2_project/vm2 3.9.6 - 3.11.0
Published May 13, 2026
Tracked Since May 13, 2026