CVE Catalog

CVE-2026-44008

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.85%

54th percentile — higher than 54% of all known CVEs

Summary

A vulnerability in the vm2 library for Node.js prior to version 3.11.2 allows sandbox escape via the neutralizeArraySpeciesBatch method, which can invoke a getter on the array prototype, exposing objects from the outside. Attackers can obtain host objects and the Function object, enabling arbitrary command execution on the host system.

Risk Assessment

The risk for the organization includes full compromise of the host system by an attacker, potentially leading to data theft, malware installation, or service disruption.

Recommendation

Immediately update the vm2 library to version 3.11.2 or later to fix the vulnerability. If an update is not possible, consider temporarily disabling features related to neutralizeArraySpeciesBatch.

Original NVD description (English source)

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and get the host Function object. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS