CVE-2026-44002 Overview
CVE-2026-44002 is an information disclosure vulnerability in vm2, an open source virtual machine and sandbox library for Node.js. The flaw exists in vm2's CallSite wrapper class, which was designed as a safe wrapper around V8's native CallSite API. While the wrapper blocks getThis() and getFunction() to prevent host object leakage, it allows getFileName() to return unsanitized host absolute paths. Sandboxed code can extract the full host directory structure, library paths, and framework versions. The issue affects versions prior to 3.11.0 and is classified under [CWE-209] Information Exposure Through an Error Message.
Critical Impact
Untrusted code running inside the vm2 sandbox can enumerate host filesystem paths, library locations, and framework versions, enabling reconnaissance for follow-on attacks.
Affected Products
- vm2 (npm package vm2) versions prior to 3.11.0
- Node.js applications embedding vm2 for sandboxed code execution
- Multi-tenant platforms using vm2 to isolate user-supplied JavaScript
Discovery Timeline
- 2026-05-13 - CVE-2026-44002 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-44002
Vulnerability Analysis
The vm2 library provides a sandboxed execution environment for untrusted JavaScript within Node.js processes. It wraps several V8 internals to prevent sandboxed code from accessing host objects. The CallSite wrapper is one such control, exposing stack frame metadata to sandboxed code while filtering methods that would return host references.
The wrapper correctly blocks getThis() and getFunction(), which would return host-side values. However, getFileName() passes through unsanitized. When sandboxed code triggers an error and inspects the stack via Error.prepareStackTrace, each frame's getFileName() returns the absolute path on the host filesystem. This reveals installation directories, node_modules paths, and module versions embedded in directory names.
The disclosure is purely informational and does not break the sandbox boundary directly. However, the leaked paths support follow-on exploitation by mapping installed libraries to known vulnerabilities.
Root Cause
The CallSite wrapper applies an allowlist-style mediation for some methods but lets getFileName() return the raw V8 value. The wrapper does not redact, hash, or relativize the host path before returning it to sandboxed code. This is an incomplete sanitization of error and stack metadata, characteristic of [CWE-209].
Attack Vector
An attacker submits JavaScript to a service that evaluates code inside vm2. The code installs a custom Error.prepareStackTrace handler, throws an error, and iterates over the resulting CallSite objects. Calling getFileName() on each frame returns absolute host paths. The attacker exfiltrates these paths through the sandbox's normal return channel, achieving reconnaissance without breaking out of the sandbox.
A verified proof-of-concept is described in the GitHub Security Advisory GHSA-v27g-jcqj-v8rw. No public exploit is listed in Exploit-DB, and the CVE is not on the CISA KEV list.
Detection Methods for CVE-2026-44002
Indicators of Compromise
- Sandboxed scripts that define Error.prepareStackTrace and immediately throw or capture stacks
- Outbound responses from sandbox endpoints containing absolute filesystem paths such as /home/, /var/, or C:\Users\
- Repeated sandbox executions from a single tenant that enumerate stack frames across diverse error scenarios
Detection Strategies
- Inventory all Node.js services using the vm2 package and identify versions below 3.11.0
- Inspect sandbox output streams for absolute path patterns and node_modules references
- Add static analysis rules that flag user-supplied JavaScript containing Error.prepareStackTrace or getFileName references
Monitoring Recommendations
- Log all vm2 evaluation calls with tenant identity, payload hash, and response size for anomaly analysis
- Alert on sandbox responses whose content matches host path regex patterns
- Correlate sandbox reconnaissance activity with subsequent exploitation attempts against disclosed library versions
How to Mitigate CVE-2026-44002
Immediate Actions Required
- Upgrade vm2 to version 3.11.0 or later in all Node.js applications
- Audit application dependencies with npm ls vm2 to locate transitive instances of the package
- Rotate any secrets or credentials whose locations may have been disclosed through leaked paths
Patch Information
The issue is fixed in vm2 version 3.11.0. The maintainers updated the CallSite wrapper to sanitize getFileName() output. Refer to the vm2 GitHub Security Advisory for advisory details. Note that the vm2 project has been deprecated by its maintainers; teams should plan migration to actively maintained alternatives such as isolated-vm.
Workarounds
- Run vm2 evaluations inside a chroot or container with anonymized mount paths to limit path information value
- Strip or rewrite absolute path strings from sandbox responses before returning them to untrusted callers
- Migrate workloads from vm2 to a maintained sandbox library where feasible
# Configuration example
npm install vm2@3.11.0
npm ls vm2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
