CVE-2026-44009
published 2026-05-13CVE-2026-44009: vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.
PriorityP354critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.81%
52.4th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform | automation-portal | — | — |
| patriksimek | vm2 | < 3.11.2 | 3.11.2 |
| rhdh | rhdh-hub-rhel9 | — | — |
| vm2_project | vm2 | < 3.11.2 | 3.11.2 |
| vm2_project | vm2 | >= 0 < 3.11.2 | 3.11.2 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
patriksimek vm2 up to 3.11.1 exposure of resource (GHSA-9vg3-4rfj-wgcm)
vuldb·2026-05-13·CVSS 9.8
CVE-2026-44009 [CRITICAL] patriksimek vm2 up to 3.11.1 exposure of resource (GHSA-9vg3-4rfj-wgcm)
A vulnerability was found in patriksimek vm2 up to 3.11.1. It has been classified as critical. Affected by this issue is some unknown functionality. The manipulation leads to exposure of resource.
This vulnerability is listed as CVE-2026-44009. The attack may be initiated remotely. There is no available exploit.
Upgrading the affected component is recommended.
GHSA
vm2 has Sandbox Breakout Through Null Proto Exception
ghsa·2026-05-08
CVE-2026-44009 [CRITICAL] CWE-668 vm2 has Sandbox Breakout Through Null Proto Exception
vm2 has Sandbox Breakout Through Null Proto Exception
### Summary
VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.
### Details
In `handleException` due to ``// SECURITY (post-GHSA-mpf8 hardening): use `from` (not `ensureThis`)`` exceptions with a null proto will be assumed to come from the other side and being proxied. Therefore, it is possible to get the proxied and unproxied object of a sandbox object with a null proto when thrown and then catched which allows to get the host `Function` object.
### PoC
```js
const {VM} = require("vm2");
const vm = new VM();
console.log(vm.run(`
const o = {__proto__: null};
try {
throw o;
} catch (e) {
e.f = Buffer.prototype
Red Hat
vm2: vm2: Arbitrary Code Execution via Sandbox Escape
vendor_redhat·2026-05-13·CVSS 9.8
CVE-2026-44009 [CRITICAL] CWE-653 vm2: vm2: Arbitrary Code Execution via Sandbox Escape
vm2: vm2: Arbitrary Code Execution via Sandbox Escape
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.
A flaw was found in vm2 (before 3.11.2). A sandbox escape vulnerability allows remote attackers to execute arbitrary code on the host system by breaking vm2 isolation. Fixed in 3.11.2.
Statement: vm2 is vulnerable to sandbox escape leading to arbitrary code execution on the host. A remote unauthenticated attacker who can submit code to the vm2 sandbox may escape isolation and execute arbitrary commands. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8). Fixed in vm2 3.11.2.
Mitigation: Upgrade to vm2 3.11.2 or later.
Package: rhdh/rhdh-hub-rhel9 (Red Hat Developer Hub) - Under investigation
Package: ansible-automation-platform/au
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-44009 vm2: vm2: Arbitrary Code Execution via Sandbox Escape
bugzilla·2026-05-13·CVSS 9.8
CVE-2026-44009 [CRITICAL] CVE-2026-44009 vm2: vm2: Arbitrary Code Execution via Sandbox Escape
CVE-2026-44009 vm2: vm2: Arbitrary Code Execution via Sandbox Escape
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.
Hackernews
vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution
blogs_hackernews·2026-05-07·CVSS 10.0
CVE-2026-24118 [CRITICAL] vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution
A dozen critical security vulnerabilities have been disclosed in the vm2 Node.js library that could be exploited by bad actors to break out of the sandbox and execute arbitrary code on susceptible systems.
vm2 is an open-source library used to run untrusted JavaScript code inside a secure sandbox by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host environment.
The security flaws are listed below -
CVE-2026-24118 (CVSS score: 9.8) - A vulnerability that allows sandbox escape via "__lookupGette
https://github.com/patriksimek/vm2/security/advisories/GHSA-9vg3-4rfj-wgcmhttps://access.redhat.com/security/cve/CVE-2026-44009https://bugzilla.redhat.com/show_bug.cgi?id=2477185https://github.com/patriksimek/vm2/security/advisories/GHSA-9vg3-4rfj-wgcmhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44009.json
2026-05-13
Published