VYPR
Critical severity10.0GHSA Advisory· Published May 13, 2026· Updated May 14, 2026

CVE-2026-44005

CVE-2026-44005

Description

vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox This vulnerability is fixed in 3.11.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
vm2npm
>= 3.9.6, < 3.11.03.11.0

Affected products

3
  • Patriksimek/Vm2GHSA2 versions
    >= 3.9.6, <= 3.10.5+ 1 more
    • (no CPE)range: >= 3.9.6, <= 3.10.5
    • cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*range: >=3.9.6,<3.11.0
  • ghsa-coords
    Range: >= 3.9.6, < 3.11.0

Patches

Vulnerability mechanics

References

4

News mentions

1