PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44005 Vm2 Project CVE debrief

CVE-2026-44005 is a critical vulnerability in vm2, a sandbox for Node.js. The vulnerability exists in versions 3.9.6 to 3.10.5, where vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes. This allows attacker-controlled JavaScript running in a default VM or inherited NodeVM to mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox. The vulnerability is fixed in version 3.11.0. This issue has a CVSS score of 10 and a severity of CRITICAL.

Vendor
Vm2 Project
Product
Vm2
CVSS
CRITICAL 10
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-13
Original CVE updated
2026-06-30
Advisory published
2026-05-13
Advisory updated
2026-06-30

Who should care

Developers and administrators using vm2 in their Node.js applications should be aware of this vulnerability. Given the critical severity and high impact, immediate attention is required to ensure that vm2 is updated to a secure version. Organizations using affected versions of vm2 should prioritize patching to prevent potential exploitation.

Technical summary

The vulnerability in vm2 arises from its bridge mechanism, which exposes mutable proxies for host-realm intrinsic prototypes. Specifically, the use of otherReflectSet() and otherReflectDefineProperty() allows sandbox writes to be forwarded into the underlying host objects. This enables an attacker to modify critical prototypes such as Object.prototype, Array.prototype, and Function.prototype from within the sandbox. The issue is addressed in vm2 version 3.11.0, which properly restricts these operations.

Defensive priority

High. Immediate patching is recommended due to the critical severity and potential for exploitation.

Recommended defensive actions

  • Update vm2 to version 3.11.0 or later.
  • Review and restrict the use of mutable proxies in vm2 configurations.
  • Implement additional monitoring for suspicious activity within Node.js environments.
  • Ensure that all NodeVM and VM instances are properly isolated and configured.
  • Consider compensating controls such as Web Application Firewalls (WAFs) to detect and prevent exploitation attempts.

Evidence notes

The CVE-2026-44005 vulnerability is documented in the NVD and CVE databases. Multiple sources, including GitHub security advisories and Red Hat security bulletins, confirm the existence and impact of this issue. The vulnerability is considered critical with a CVSS score of 10.

Official resources

This article is AI-assisted and based on the supplied source corpus.