CVE-2026-44007 Overview
CVE-2026-44007 is a sandbox escape vulnerability in vm2, an open source virtual machine and sandbox library for Node.js. Versions prior to 3.11.1 allow sandboxed code to call require('vm2') when the outer NodeVM is created with nesting: true, even when the host application explicitly sets require: false. Sandboxed code can then construct a new inner NodeVM with unrestricted require settings and execute arbitrary operating system commands on the host. Any application running untrusted code inside a NodeVM with nesting enabled is fully compromised. The issue is fixed in vm2 version 3.11.1.
Critical Impact
Sandboxed code escapes the vm2 boundary and executes arbitrary OS commands on the host with the privileges of the Node.js process.
Affected Products
- vm2 (npm package vm2_project:vm2) prior to 3.11.1
- Node.js applications that instantiate NodeVM with nesting: true
- Downstream services and platforms that embed vm2 to execute untrusted JavaScript
Discovery Timeline
- 2026-05-13 - CVE-2026-44007 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-44007
Vulnerability Analysis
The vm2 library provides a Node.js sandbox intended to run untrusted JavaScript with controlled access to host capabilities such as require. Host applications typically pass require: false to deny module loading inside the sandbox. When nesting: true is also set, the sandbox is permitted to instantiate further NodeVM instances. The flaw is that the nested-VM feature exposes the vm2 module itself to sandboxed code regardless of the outer require policy. Untrusted code can therefore obtain a reference to the NodeVM constructor, instantiate a fresh sandbox configured with require: true and unrestricted built-ins, and load child_process to execute commands. This is a broken access control issue tracked as [CWE-284].
Root Cause
The nesting: true code path inside vm2 did not honor the outer sandbox's require configuration when exposing the vm2 module to nested contexts. The access-control check that should have prevented the sandbox from resolving vm2 was effectively bypassed, allowing the guest to bootstrap a more privileged inner VM.
Attack Vector
An attacker who can supply JavaScript to an application that evaluates it inside a NodeVM with nesting: true writes a payload that calls require('vm2'), constructs a new NodeVM with require: true and no allowlist, then loads child_process and invokes exec or execSync. The resulting command runs with the privileges of the host Node.js process. The vulnerability requires the host application to opt into nesting, which is why the attack requires high privileges on the application configuration but no user interaction once that configuration exists. The vm2 maintainers' GitHub Security Advisory GHSA-8hg8-63c5-gwmx and the OpenWall OSS-Security discussion describe the escape mechanism in detail.
Detection Methods for CVE-2026-44007
Indicators of Compromise
- Node.js processes spawning unexpected child processes such as /bin/sh, bash, cmd.exe, or powershell.exe from applications that embed vm2.
- Outbound network connections initiated by a Node.js worker that previously only handled user-supplied scripts.
- File system writes or reads outside the application's working directory by the Node.js process hosting vm2.
Detection Strategies
- Inventory all Node.js applications and identify those that declare vm2 in package.json or package-lock.json at versions below 3.11.1.
- Search application source for new NodeVM( invocations that include nesting: true and treat each as a high-risk sink for untrusted input.
- Alert on process lineage where node is the parent of a shell or scripting interpreter that was not part of normal application behavior.
Monitoring Recommendations
- Enable process creation auditing on hosts running vm2-based services and forward events to a centralized log store for correlation.
- Monitor egress traffic from sandboxing services and baseline expected destinations to surface command-and-control activity following an escape.
- Track changes to node_modules/vm2 package versions across build and production environments to detect downgrades or unpatched deployments.
How to Mitigate CVE-2026-44007
Immediate Actions Required
- Upgrade vm2 to version 3.11.1 or later across all applications and rebuild container images that bundle the package.
- Audit code paths that instantiate NodeVM and remove nesting: true unless the feature is strictly required.
- Treat any historical execution of untrusted scripts inside a vulnerable vm2 configuration as a potential compromise and review host telemetry accordingly.
Patch Information
The vm2 maintainers released a fix in version 3.11.1. Refer to the GitHub Security Advisory GHSA-8hg8-63c5-gwmx for the patch reference and upgrade guidance. Note that the upstream vm2 project has announced it is no longer maintained for security; teams should plan migration to an actively maintained isolation mechanism such as isolated-vm or out-of-process sandboxing.
Workarounds
- Set nesting: false on every NodeVM instance, which is the default and blocks the documented escape path.
- Run the Node.js process that hosts vm2 under a dedicated low-privilege user with no write access to application directories.
- Confine the sandboxing service in a container with seccomp, AppArmor, or SELinux profiles that deny execve of shells and restrict outbound network access.
# Upgrade vm2 to the patched release
npm install vm2@3.11.1 --save
npm audit --production
# Verify no remaining vulnerable versions in the dependency tree
npm ls vm2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
