CRITICAL🇵🇱 Wersja polska

CVE-2026-44008

CVSS 9.8v3.1pub. 2026-05-13upd. 2026-06-30

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and get the host Function object. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.2.

🤖 AI Analysis
How it works

The neutralizeArraySpeciesBatch method operates on objects from an external context, however it can be invoked by a getter defined on the array prototype on the host side. Through this mechanism, objects from an incorrect context (host side) are exposed inside the sandbox. An attacker can thus gain access to host objects, including the Function object, which allows constructing code that executes outside the sandbox.

Impact

An attacker can completely escape the isolated vm2 environment and execute arbitrary commands on the host system, leading to full server compromise.

Mitigation & patch

Update the vm2 library to version 3.11.2, where the vulnerability has been fixed.

Who is affected

vm2 in versions before 3.11.2 (sandbox/VM library for Node.js, patriksimek/vm2 project)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Vm2 Project Vm2

    APP
    Vm2 Project
    < 3.11.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-44005CRITICAL10.0PL ✓ten sam produkt

vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)

CVE-2026-44006CRITICAL10.0PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez BaseHandler.getPrototypeOf (RCE)

CVE-2026-43997CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandboxa w bibliotece vm2 dla Node.js (RCE)

CVE-2026-43999CRITICAL9.9PL ✓ten sam produkt

vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'

CVE-2026-44007CRITICAL9.1PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)