PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44007 patriksimek CVE debrief

CVE-2026-44007 is a critical vulnerability in vm2, a Node.js sandbox module. The vulnerability allows sandbox code to escape and execute arbitrary OS commands. This is possible when a NodeVM is created with nesting: true, allowing sandbox code to unconditionally require('vm2') regardless of the outer VM's require configuration. With access to vm2, the sandbox constructs a new inner NodeVM with its own unrestricted require settings and executes arbitrary OS commands on the host. Any application that runs untrusted code inside a NodeVM with nesting: true is fully compromised. The vulnerability is fixed in version 3.11.1.

Vendor
patriksimek
Product
vm2
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-13
Original CVE updated
2026-06-30
Advisory published
2026-05-13
Advisory updated
2026-06-30

Who should care

Developers and administrators using vm2 in their Node.js applications should be aware of this vulnerability. Specifically, anyone running untrusted code inside a NodeVM with nesting: true is at risk. This includes developers of applications that use vm2 for sandboxing, as well as administrators who have deployed such applications.

Technical summary

The vulnerability exists in the vm2 module, a sandbox for Node.js. When a NodeVM is created with nesting: true, it allows sandbox code to bypass the outer VM's require configuration, including require: false. This enables the sandbox to require('vm2') and create a new inner NodeVM with unrestricted require settings. Consequently, the sandbox can execute arbitrary OS commands on the host system. The vulnerability has a CVSS score of 9.1 and is classified as CRITICAL. It is fixed in vm2 version 3.11.1.

Defensive priority

This vulnerability has a high defensive priority due to its critical severity and potential for exploitation. Immediate action is recommended to mitigate the risk.

Recommended defensive actions

  • Update vm2 to version 3.11.1 or later
  • Review and restrict the use of nesting: true in NodeVMs
  • Implement additional security measures to monitor and limit the execution of untrusted code
  • Conduct thorough inventory checks to identify and patch vulnerable applications
  • Enhance monitoring and exception tracking to detect potential exploitation attempts

Evidence notes

The vulnerability is confirmed by the vendor and multiple sources, including the NVD and Red Hat security advisories. The CVE record and NVD detail provide comprehensive information about the vulnerability. Additional sources, such as the vm2 project and security mailing lists, offer further context and mitigation guidance.

Official resources

This article is AI-assisted and based on the supplied source corpus.