CVE-2026-44008 Overview
CVE-2026-44008 is a sandbox escape vulnerability in vm2, an open source virtual machine and sandbox library for Node.js. The flaw exists in versions prior to 3.11.2 and stems from the neutralizeArraySpeciesBatch method. This method works with objects from the host side but can be invoked through a getter on the array prototype, exposing host-side objects into the sandbox. Attackers exploiting this issue can obtain a reference to the host Function object and execute arbitrary commands on the underlying system. The vulnerability is classified under [CWE-668]: Exposure of Resource to Wrong Sphere. The issue is resolved in vm2 version 3.11.2.
Critical Impact
Attackers can escape the vm2 sandbox and execute arbitrary commands on the host Node.js process with no authentication or user interaction.
Affected Products
- vm2 versions prior to 3.11.2
- Node.js applications embedding vm2 for untrusted code evaluation
- Downstream packages depending on vulnerable vm2 releases
Discovery Timeline
- 2026-05-13 - CVE-2026-44008 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44008
Vulnerability Analysis
The vm2 library isolates untrusted JavaScript by creating a sandboxed context and proxying objects between the host and the sandbox. To preserve isolation, vm2 must ensure that objects from the host side are never directly handed to sandboxed code. The neutralizeArraySpeciesBatch method was introduced to manage this boundary for array-related operations. However, the method invokes a getter defined on the array prototype while still operating on host-side objects, breaking the separation between the two realms.
An attacker controlling sandboxed code can define a getter on Array.prototype that observes objects passed in from the host context. Once a host object is captured, the attacker can walk its prototype chain to reach the host Function constructor. Calling Function from the host realm produces a function that executes outside the sandbox, allowing arbitrary command execution on the Node.js process.
Root Cause
The root cause is improper realm isolation in neutralizeArraySpeciesBatch. The method dispatches operations through user-controllable property accessors without first ensuring that the inputs belong to the sandbox realm, which violates the trust boundary vm2 is designed to enforce.
Attack Vector
Exploitation requires only that an application evaluates attacker-controlled JavaScript inside a vm2 sandbox. Many applications use vm2 to run user-supplied plugins, expressions, templates, or webhook scripts, making the attack surface broad. No prior authentication or local access is required when the sandbox is exposed through a network-facing service.
No verified public exploit code is available at this time. Refer to the GitHub Security Advisory GHSA-9qj6-qjgg-37qq for additional technical context.
Detection Methods for CVE-2026-44008
Indicators of Compromise
- Unexpected child processes spawned from Node.js parent processes that host vm2 sandboxes
- Outbound network connections originating from Node.js workers immediately after sandboxed code execution
- Sandboxed scripts that define getters on Array.prototype or manipulate Symbol.species
Detection Strategies
- Inventory all Node.js applications and audit package-lock.json and yarn.lock for vm2 versions below 3.11.2
- Monitor runtime behavior of Node.js processes for spawning of shells, file system writes, or network egress outside expected baselines
- Add static analysis rules that flag use of vm2 in dependency trees and gate deployments on patched versions
Monitoring Recommendations
- Enable process lineage telemetry on hosts running Node.js services to detect sandbox escapes through anomalous child processes
- Collect application logs that capture sandbox initialization, script source hashes, and execution errors for retrospective analysis
- Alert on Node.js processes invoking child_process, fs, or net APIs immediately following untrusted script evaluation
How to Mitigate CVE-2026-44008
Immediate Actions Required
- Upgrade vm2 to version 3.11.2 or later in all affected applications
- Rebuild and redeploy any container images or serverless bundles that pin a vulnerable vm2 release
- Treat any Node.js host that ran untrusted scripts on a vulnerable vm2 version as potentially compromised and investigate accordingly
Patch Information
The maintainers fixed the issue in vm2 3.11.2. The patch corrects neutralizeArraySpeciesBatch so that host-side objects are not exposed through prototype getters reachable from sandboxed code. See the GitHub Security Advisory GHSA-9qj6-qjgg-37qq for the official fix details.
Workarounds
- Migrate to an actively maintained sandbox alternative if upgrading vm2 is not feasible, since vm2 is no longer maintained beyond this fix line
- Refuse to evaluate untrusted JavaScript until the dependency is patched, and disable any feature that accepts user-supplied scripts
- Apply OS-level isolation such as separate processes, restrictive seccomp profiles, or containers with read-only file systems to limit the blast radius of any escape
# Configuration example
npm install vm2@3.11.2
npm ls vm2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
