Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-44006

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0.

View on NVD

Analysis

A critical sandbox escape has been found in vm2, a popular Node.js library for executing untrusted code. This vulnerability allows an attacker to bypass the sandbox isolation and gain access to the host environment, potentially leading to remote code execution. Users should update to version 3.11.0 immediately.

Severity

Score: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-94

EPSS

No EPSS score yet (CVE may be too fresh).

Technical description

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0.

Published: 5/13/2026, 6:16:17 PM
Last modified: 5/13/2026, 7:17:26 PM

References

HomeEventsBlogResourcesTeam