CVE-2026-44005
CVE-2026-44005
10.0
CriticalPublished:
Last updated:
Source:security-advisories@github.com
Modified
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Changed
- Confidentiality
- None
- Integrity
- High
- Availability
- High
Description
vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox This vulnerability is fixed in 3.11.0.
References
security-advisories@github.com
https://github.com/patriksimek/vm2/security/advisories/GHSA-vwrp-x96c-mhwq134c704f-9b21-4f2e-91b3-4a467353bcc0
https://github.com/patriksimek/vm2/security/advisories/GHSA-vwrp-x96c-mhwq