CVE-2026-44005 Overview
CVE-2026-44005 is a sandbox escape vulnerability in vm2, an open-source virtual machine and sandbox library for Node.js. Versions 3.9.6 through 3.10.5 expose mutable proxies for host-realm intrinsic prototypes through the bridge between sandbox and host. Attacker-controlled JavaScript executing inside a default VM or inherited NodeVM can mutate shared host objects including Object.prototype, Array.prototype, and Function.prototype. The flaw is classified under CWE-94: Improper Control of Generation of Code. Maintainers addressed the issue in vm2 version 3.11.0.
Critical Impact
Attackers can break out of the vm2 sandbox and corrupt host-realm prototypes, leading to integrity loss and arbitrary code execution in the parent Node.js process.
Affected Products
- vm2 versions 3.9.6 through 3.10.5
- Node.js applications embedding vulnerable vm2 releases
- Downstream packages that depend transitively on vulnerable vm2 versions
Discovery Timeline
- 2026-05-13 - CVE-2026-44005 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-44005
Vulnerability Analysis
The vm2 library establishes a bridge that mediates object access between the sandboxed guest realm and the host Node.js realm. For host-realm intrinsic prototypes such as Object.prototype, Array.prototype, and Function.prototype, the bridge exposes proxies that remain mutable from inside the sandbox. When sandbox code writes to these proxies, the bridge forwards those operations to the underlying host objects through otherReflectSet() and otherReflectDefineProperty(). The result is that guest code can directly mutate intrinsics shared by the host process.
Prototype pollution against host intrinsics breaks the isolation contract that vm2 is designed to provide. Once host prototypes are tampered with, any subsequent code running in the host realm inherits the attacker-controlled properties, enabling code execution, logic manipulation, and denial of service against the parent application.
Root Cause
The root cause is that the bridge treats host-realm intrinsic prototypes as writable from the sandbox side. Rather than freezing or interposing read-only proxies, vm2 passes write and define-property operations directly to host objects via otherReflectSet() and otherReflectDefineProperty(). This forwarding behavior violates the isolation boundary between guest and host realms.
Attack Vector
An attacker supplies untrusted JavaScript that the application evaluates inside a vm2VM or NodeVM instance. The attacker accesses a host-intrinsic proxy reachable from the sandbox, then assigns or defines properties on it. The bridge propagates the mutation to the real host Object.prototype, Array.prototype, or Function.prototype. Subsequent host-realm code that reads those polluted properties executes attacker-controlled behavior, completing the sandbox escape.
The vulnerability mechanism is documented in the vm2 GitHub Security Advisory GHSA-vwrp-x96c-mhwq. No public proof-of-concept exploit is referenced in the advisory at the time of publication.
Detection Methods for CVE-2026-44005
Indicators of Compromise
- Unexpected properties appearing on host Object.prototype, Array.prototype, or Function.prototype after sandbox execution
- Node.js processes hosting vm2 exhibiting anomalous child process spawns or outbound network connections
- Application log entries showing untrusted scripts referencing __proto__, constructor.prototype, or Reflect.defineProperty during sandbox runs
Detection Strategies
- Inventory all production dependencies and flag any package resolving to vm2 between 3.9.6 and 3.10.5 using npm ls vm2 or software composition analysis tooling.
- Add runtime assertions in the host process that snapshot critical intrinsic prototypes and compare them after each sandbox invocation.
- Review build manifests and lockfiles in CI to fail builds that pull vulnerable vm2 versions transitively.
Monitoring Recommendations
- Forward Node.js process telemetry, including child process and file system events, to a centralized analytics platform for behavioral baselining.
- Alert on vm2-hosting services that initiate new outbound connections or spawn shells not observed in baseline behavior.
- Track CVE feeds and the vm2 advisory page for updates referencing GHSA-vwrp-x96c-mhwq.
How to Mitigate CVE-2026-44005
Immediate Actions Required
- Upgrade vm2 to version 3.11.0 or later across all applications and container images.
- Audit dependency trees with npm audit and npm ls vm2 to surface transitive uses of vulnerable releases.
- Restrict the categories of untrusted code accepted by services that rely on vm2 until patching completes.
- Note that the vm2 project has been deprecated by its maintainers; plan migration to an actively maintained isolation library such as isolated-vm or out-of-process sandboxing.
Patch Information
The vulnerability is fixed in vm2 version 3.11.0. Refer to the GitHub Security Advisory GHSA-vwrp-x96c-mhwq for the official remediation guidance from the patriksimek/vm2 project.
Workarounds
- Execute untrusted code in an isolated operating system process or container with seccomp and minimal privileges instead of relying on in-process vm2 isolation.
- Freeze host-realm intrinsics with Object.freeze(Object.prototype), Object.freeze(Array.prototype), and Object.freeze(Function.prototype) at application startup, accepting compatibility tradeoffs.
- Reject or statically validate guest scripts to block access to __proto__, constructor, and Reflect constructs prior to evaluation.
# Configuration example
npm install vm2@^3.11.0
npm ls vm2
npm audit --production
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
