CVE-2026-44008: CWE-668: Exposure of Resource to Wrong Sphere in patriksimek vm2
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and get the host Function object. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.2.
AI Analysis
Technical Summary
The vm2 Node.js sandbox prior to version 3.11.2 contains a vulnerability (CWE-668) where the neutralizeArraySpeciesBatch method improperly handles objects from outside the sandbox. This method can invoke getters on the array prototype that expose host-side objects into the sandbox environment. Attackers can leverage this flaw to obtain the host Function object, enabling them to execute arbitrary code outside the sandbox constraints. This vulnerability effectively allows sandbox escape and remote code execution on the host system. The issue is fixed in vm2 version 3.11.2.
Potential Impact
Successful exploitation allows an attacker to escape the vm2 sandbox and execute arbitrary commands on the host system, compromising confidentiality, integrity, and availability of the host environment. Given the CVSS score of 9.8, the impact is critical with full system compromise potential.
Mitigation Recommendations
Upgrade vm2 to version 3.11.2 or later, where this vulnerability is fixed. No other mitigations are indicated or required as the fix addresses the root cause directly.
CVE-2026-44008: CWE-668: Exposure of Resource to Wrong Sphere in patriksimek vm2
Description
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and get the host Function object. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vm2 Node.js sandbox prior to version 3.11.2 contains a vulnerability (CWE-668) where the neutralizeArraySpeciesBatch method improperly handles objects from outside the sandbox. This method can invoke getters on the array prototype that expose host-side objects into the sandbox environment. Attackers can leverage this flaw to obtain the host Function object, enabling them to execute arbitrary code outside the sandbox constraints. This vulnerability effectively allows sandbox escape and remote code execution on the host system. The issue is fixed in vm2 version 3.11.2.
Potential Impact
Successful exploitation allows an attacker to escape the vm2 sandbox and execute arbitrary commands on the host system, compromising confidentiality, integrity, and availability of the host environment. Given the CVSS score of 9.8, the impact is critical with full system compromise potential.
Mitigation Recommendations
Upgrade vm2 to version 3.11.2 or later, where this vulnerability is fixed. No other mitigations are indicated or required as the fix addresses the root cause directly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-04T21:24:36.505Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a04ba22cbff5d8610f482cf
Added to database: 5/13/2026, 5:51:30 PM
Last enriched: 5/13/2026, 6:06:51 PM
Last updated: 5/14/2026, 6:52:30 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.