CVE Catalog
CVE-2026-44006
CriticalCVSS 10.0Exploitation Probability (EPSS)
Elevated risk0.82%
52th percentile — higher than 52% of all known CVEs
Summary
A vulnerability in the vm2 library for Node.js allows an attacker to bypass the sandbox and access arbitrary object prototypes. The issue is fixed in version 3.11.0.
Risk Assessment
An attacker can exploit this flaw to escalate privileges within the Node.js environment, potentially leading to unauthorized code execution or data theft.
Recommendation
Immediately update the vm2 library to version 3.11.0 or later.
Original NVD description (English source)
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0.

