VYPR
Critical severity9.1GHSA Advisory· Published May 13, 2026· Updated May 14, 2026

CVE-2026-44007

CVE-2026-44007

Description

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless of the outer VM's require configuration — including require: false. With access to vm2, the sandbox constructs a new inner NodeVM with its own unrestricted require settings and executes arbitrary OS commands on the host. Any application that runs untrusted code inside a NodeVM with nesting: true is fully compromised. This vulnerability is fixed in 3.11.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
vm2npm
< 3.11.13.11.1

Affected products

3
  • Patriksimek/Vm2GHSA2 versions
    <= 3.11.0+ 1 more
    • (no CPE)range: <= 3.11.0
    • cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*range: <3.11.1
  • ghsa-coords
    Range: < 3.11.1

Patches

Vulnerability mechanics

References

5

News mentions

1