CRITICAL🇵🇱 Wersja polska

CVE-2026-44009

CVSS 9.8v3.1pub. 2026-05-13upd. 2026-06-30

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-668 (Exposure of Resource to Wrong Sphere) indicates improper access management to resources within the vm2 isolation mechanism. Code running inside the sandbox can access resources or context that should be unavailable to it. The detailed technical mechanism has not been disclosed in the description, however, a critical CVSS score of 9.8 with a network vector requiring no privileges and user interaction indicates a serious isolation flaw.

Impact

An attacker can cause a sandbox escape, which as a consequence may result in unauthorized access to sensitive data, violation of system integrity, and potentially complete takeover of the host.

Mitigation & patch

The vm2 library should be updated to version 3.11.2 or newer, in which the vulnerability has been fixed. It is recommended to check all Node.js projects using vm2 as a dependency and apply the update immediately.

Who is affected

vm2 library for Node.js in versions prior to 3.11.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Vm2 Project Vm2

    APP
    Vm2 Project
    < 3.11.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-44005CRITICAL10.0PL ✓ten sam produkt

vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)

CVE-2026-44006CRITICAL10.0PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez BaseHandler.getPrototypeOf (RCE)

CVE-2026-43997CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandboxa w bibliotece vm2 dla Node.js (RCE)

CVE-2026-43999CRITICAL9.9PL ✓ten sam produkt

vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'

CVE-2026-44007CRITICAL9.1PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)