CRITICAL🇵🇱 Wersja polska

CVE-2026-44006

CVSS 10.0v3.1pub. 2026-05-13upd. 2026-06-30

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0.

🤖 AI Analysis
How it works

The vulnerability consists of the ability to call the BaseHandler.getPrototypeOf method in an unintended manner through sandbox mechanisms. An attacker can use it to obtain a reference to any JavaScript object prototype from outside the isolated environment. This leads to breaking the sandbox boundary and potential execution of arbitrary code in the context of the host Node.js process (code injection, CWE-94).

Impact

An attacker can completely break out of the sandbox isolation and execute arbitrary code in the context of the application hosting vm2, which in practice means complete takeover of the server — violation of confidentiality, data integrity, and system availability.

Mitigation & patch

The vm2 library should be updated to version 3.11.0 or newer, where the vulnerability has been fixed. If immediate update is not possible, consider alternative mechanisms for isolating untrusted code.

Who is affected

vm2 library for Node.js in versions before 3.11.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Vm2 Project Vm2

    APP
    Vm2 Project
    < 3.11.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-44005CRITICAL10.0PL ✓ten sam produkt

vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)

CVE-2026-44007CRITICAL9.1PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)

CVE-2026-43997CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandboxa w bibliotece vm2 dla Node.js (RCE)

CVE-2026-43999CRITICAL9.9PL ✓ten sam produkt

vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'

CVE-2026-44008CRITICAL9.8PL ✓ten sam produkt

Ucieczka z sandboxu vm2 poprzez getter na prototypie tablicy