PatchSiren cyber security CVE debrief
CVE-2026-44007 patriksimek CVE debrief
CVE-2026-44007 is a critical vulnerability in vm2, a Node.js sandbox module. The vulnerability allows sandbox code to escape and execute arbitrary OS commands. This is possible when a NodeVM is created with nesting: true, allowing sandbox code to unconditionally require('vm2') regardless of the outer VM's require configuration. With access to vm2, the sandbox constructs a new inner NodeVM with its own unrestricted require settings and executes arbitrary OS commands on the host. Any application that runs untrusted code inside a NodeVM with nesting: true is fully compromised. The vulnerability is fixed in version 3.11.1.
- Vendor
- patriksimek
- Product
- vm2
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using vm2 in their Node.js applications should be aware of this vulnerability. Specifically, anyone running untrusted code inside a NodeVM with nesting: true is at risk. This includes developers of applications that use vm2 for sandboxing, as well as administrators who have deployed such applications.
Technical summary
The vulnerability exists in the vm2 module, a sandbox for Node.js. When a NodeVM is created with nesting: true, it allows sandbox code to bypass the outer VM's require configuration, including require: false. This enables the sandbox to require('vm2') and create a new inner NodeVM with unrestricted require settings. Consequently, the sandbox can execute arbitrary OS commands on the host system. The vulnerability has a CVSS score of 9.1 and is classified as CRITICAL. It is fixed in vm2 version 3.11.1.
Defensive priority
This vulnerability has a high defensive priority due to its critical severity and potential for exploitation. Immediate action is recommended to mitigate the risk.
Recommended defensive actions
- Update vm2 to version 3.11.1 or later
- Review and restrict the use of nesting: true in NodeVMs
- Implement additional security measures to monitor and limit the execution of untrusted code
- Conduct thorough inventory checks to identify and patch vulnerable applications
- Enhance monitoring and exception tracking to detect potential exploitation attempts
Evidence notes
The vulnerability is confirmed by the vendor and multiple sources, including the NVD and Red Hat security advisories. The CVE record and NVD detail provide comprehensive information about the vulnerability. Additional sources, such as the vm2 project and security mailing lists, offer further context and mitigation guidance.
Official resources
-
CVE-2026-44007 CVE record
CVE.org
-
CVE-2026-44007 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.