PatchSiren cyber security CVE debrief
CVE-2026-44005 Vm2 Project CVE debrief
CVE-2026-44005 is a critical vulnerability in vm2, a sandbox for Node.js. The vulnerability exists in versions 3.9.6 to 3.10.5, where vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes. This allows attacker-controlled JavaScript running in a default VM or inherited NodeVM to mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox. The vulnerability is fixed in version 3.11.0. This issue has a CVSS score of 10 and a severity of CRITICAL.
- Vendor
- Vm2 Project
- Product
- Vm2
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using vm2 in their Node.js applications should be aware of this vulnerability. Given the critical severity and high impact, immediate attention is required to ensure that vm2 is updated to a secure version. Organizations using affected versions of vm2 should prioritize patching to prevent potential exploitation.
Technical summary
The vulnerability in vm2 arises from its bridge mechanism, which exposes mutable proxies for host-realm intrinsic prototypes. Specifically, the use of otherReflectSet() and otherReflectDefineProperty() allows sandbox writes to be forwarded into the underlying host objects. This enables an attacker to modify critical prototypes such as Object.prototype, Array.prototype, and Function.prototype from within the sandbox. The issue is addressed in vm2 version 3.11.0, which properly restricts these operations.
Defensive priority
High. Immediate patching is recommended due to the critical severity and potential for exploitation.
Recommended defensive actions
- Update vm2 to version 3.11.0 or later.
- Review and restrict the use of mutable proxies in vm2 configurations.
- Implement additional monitoring for suspicious activity within Node.js environments.
- Ensure that all NodeVM and VM instances are properly isolated and configured.
- Consider compensating controls such as Web Application Firewalls (WAFs) to detect and prevent exploitation attempts.
Evidence notes
The CVE-2026-44005 vulnerability is documented in the NVD and CVE databases. Multiple sources, including GitHub security advisories and Red Hat security bulletins, confirm the existence and impact of this issue. The vulnerability is considered critical with a CVSS score of 10.
Official resources
-
CVE-2026-44005 CVE record
CVE.org
-
CVE-2026-44005 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.