CVE Catalog

CVE-2026-44005

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.84%

53th percentile — higher than 53% of all known CVEs

Summary

A vulnerability in the vm2 library for Node.js (versions 3.9.6 to 3.10.5) allows attacker-controlled JavaScript running in the sandbox to mutate host prototypes such as Object.prototype, Array.prototype, and Function.prototype. This occurs because the bridge exposes mutable proxies for real host-realm intrinsic prototypes and forwards sandbox writes to host objects using ReflectSet() and ReflectDefineProperty().

Risk Assessment

An attacker can modify global JavaScript object prototypes in the host environment, leading to unauthorized influence over application behavior, potential process takeover in Node.js, or data integrity compromise.

Recommendation

Immediately upgrade vm2 to version 3.11.0 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox This vulnerability is fixed in 3.11.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS