Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-44006

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0.

Ver en NVD

Análisis

A critical sandbox escape has been found in vm2, a popular Node.js library for executing untrusted code. This vulnerability allows an attacker to bypass the sandbox isolation and gain access to the host environment, potentially leading to remote code execution. Users should update to version 3.11.0 immediately.

Severidad

Puntaje: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-94

EPSS

Sin puntaje EPSS aún (CVE muy reciente).

Descripción técnica

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0.

Publicada: 13/5/2026, 18:16:17
Última modificación: 13/5/2026, 19:17:26

Referencias

InicioEventosBlogRecursosEquipo