{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/vm2-3.9.6---3.10.5/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["vm2 (3.9.6 - 3.10.5)"],"_cs_severities":["critical"],"_cs_tags":["sandbox-escape","prototype-pollution","javascript"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe vm2 library, a popular sandbox environment for Node.js, is vulnerable to a prototype pollution attack. Versions 3.9.6 through 3.10.5 are affected. This vulnerability allows malicious JavaScript code running within the vm2 sandbox to escape the sandbox and modify the prototypes of core JavaScript objects (Object, Array, Function) in the host environment. This is possible due to the library\u0026rsquo;s bridge implementation, which exposes mutable proxies for host-realm intrinsic prototypes, and forwards sandbox writes into the underlying host objects. The vulnerability, identified as CVE-2026-44005, poses a significant risk to applications relying on vm2 for secure code execution, as it can lead to arbitrary code execution in the host environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker provides malicious JavaScript code to the vm2 sandbox environment.\u003c/li\u003e\n\u003cli\u003eThe malicious code uses \u003ccode\u003e__lookupGetter__\u003c/code\u003e to access the \u003ccode\u003e__proto__\u003c/code\u003e property of a sandboxed object.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eBaseHandler.get()\u003c/code\u003e function in \u003ccode\u003elib/bridge.js\u003c/code\u003e returns the host-side descriptor or proxy target prototype for \u003ccode\u003e__proto__\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker abuses the host \u003ccode\u003e__lookupGetter__('__proto__')\u003c/code\u003e accessor repeatedly, walking up the prototype chain.\u003c/li\u003e\n\u003cli\u003eThis walk eventually leads to a proxy of a host intrinsic prototype, such as \u003ccode\u003eObject.prototype\u003c/code\u003e, \u003ccode\u003eArray.prototype\u003c/code\u003e, or \u003ccode\u003eFunction.prototype\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious code uses \u003ccode\u003eBaseHandler.set()\u003c/code\u003e or \u003ccode\u003eBaseHandler.defineProperty()\u003c/code\u003e to write attacker-controlled data into the host intrinsic prototype.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eotherReflectSet\u003c/code\u003e or \u003ccode\u003eotherReflectDefineProperty\u003c/code\u003e then propagates the changes to the host environment, bypassing the sandbox.\u003c/li\u003e\n\u003cli\u003eSuccessful prototype pollution allows the attacker to execute arbitrary code in the host environment, escaping the vm2 sandbox.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to escape the vm2 sandbox and pollute the prototypes of core JavaScript objects in the host environment. This can lead to a variety of consequences, including arbitrary code execution in the host process. This vulnerability affects applications using vm2 versions 3.9.6 through 3.10.5, potentially impacting a wide range of systems that rely on sandboxed JavaScript execution. The prototype pollution can compromise the integrity and security of the host application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of vm2 that addresses CVE-2026-44005.\u003c/li\u003e\n\u003cli\u003eMonitor for attempts to access \u003ccode\u003e__proto__\u003c/code\u003e via \u003ccode\u003e__lookupGetter__\u003c/code\u003e within vm2 sandboxes using the \u003ccode\u003eDetect VM2 Prototype Access\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement additional input validation and sanitization to prevent malicious JavaScript code from being executed in the vm2 sandbox.\u003c/li\u003e\n\u003cli\u003eConsider alternative sandboxing solutions or code review practices to mitigate the risk of sandbox escape vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T04:07:05Z","date_published":"2026-05-07T04:07:05Z","id":"/briefs/2026-05-vm2-sandbox-escape/","summary":"A vulnerability in vm2 versions 3.9.6 through 3.10.5 allows attacker-controlled JavaScript running in a default VM or inherited NodeVM to mutate shared host prototypes from inside the sandbox, leading to sandbox escape and prototype pollution.","title":"vm2 Sandbox Escape via Prototype Pollution","url":"https://feed.craftedsignal.io/briefs/2026-05-vm2-sandbox-escape/"}],"language":"en","title":"CraftedSignal Threat Feed — Vm2 (3.9.6 - 3.10.5)","version":"https://jsonfeed.org/version/1.1"}