CVE Catalog

CVE-2026-44006

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.82%

52th percentile — higher than 52% of all known CVEs

Summary

A vulnerability in the vm2 library for Node.js allows an attacker to bypass the sandbox and access arbitrary object prototypes. The issue is fixed in version 3.11.0.

Risk Assessment

An attacker can exploit this flaw to escalate privileges within the Node.js environment, potentially leading to unauthorized code execution or data theft.

Recommendation

Immediately update the vm2 library to version 3.11.0 or later.

Original NVD description (English source)

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS