Medium severity5.3GHSA Advisory· Published May 13, 2026· Updated May 14, 2026
CVE-2026-44003
CVE-2026-44003
Description
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL variable, which exposes internal security functions (handleException, wrapWith, import). This vulnerability is fixed in 3.11.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vm2npm | < 3.11.0 | 3.11.0 |
Affected products
1- Range: <= 3.10.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7nvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-wp5r-2gw5-m7q7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-44003ghsaADVISORY
- github.com/patriksimek/vm2/releases/tag/v3.11.0ghsaWEB
News mentions
0No linked articles in our index yet.