Vm2 (3.9.6 - 3.10.5) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/vm2-3.9.6---3.10.5/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 07 May 2026 04:07:05 +0000vm2 Sandbox Escape via Prototype Pollutionhttps://feed.craftedsignal.io/briefs/2026-05-vm2-sandbox-escape/Thu, 07 May 2026 04:07:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-vm2-sandbox-escape/A vulnerability in vm2 versions 3.9.6 through 3.10.5 allows attacker-controlled JavaScript running in a default VM or inherited NodeVM to mutate shared host prototypes from inside the sandbox, leading to sandbox escape and prototype pollution.The vm2 library, a popular sandbox environment for Node.js, is vulnerable to a prototype pollution attack. Versions 3.9.6 through 3.10.5 are affected. This vulnerability allows malicious JavaScript code running within the vm2 sandbox to escape the sandbox and modify the prototypes of core JavaScript objects (Object, Array, Function) in the host environment. This is possible due to the library’s bridge implementation, which exposes mutable proxies for host-realm intrinsic prototypes, and forwards sandbox writes into the underlying host objects. The vulnerability, identified as CVE-2026-44005, poses a significant risk to applications relying on vm2 for secure code execution, as it can lead to arbitrary code execution in the host environment.

Attack Chain

  1. Attacker provides malicious JavaScript code to the vm2 sandbox environment.
  2. The malicious code uses __lookupGetter__ to access the __proto__ property of a sandboxed object.
  3. The BaseHandler.get() function in lib/bridge.js returns the host-side descriptor or proxy target prototype for __proto__.
  4. The attacker abuses the host __lookupGetter__('__proto__') accessor repeatedly, walking up the prototype chain.
  5. This walk eventually leads to a proxy of a host intrinsic prototype, such as Object.prototype, Array.prototype, or Function.prototype.
  6. The malicious code uses BaseHandler.set() or BaseHandler.defineProperty() to write attacker-controlled data into the host intrinsic prototype.
  7. otherReflectSet or otherReflectDefineProperty then propagates the changes to the host environment, bypassing the sandbox.
  8. Successful prototype pollution allows the attacker to execute arbitrary code in the host environment, escaping the vm2 sandbox.

Impact

Successful exploitation of this vulnerability allows an attacker to escape the vm2 sandbox and pollute the prototypes of core JavaScript objects in the host environment. This can lead to a variety of consequences, including arbitrary code execution in the host process. This vulnerability affects applications using vm2 versions 3.9.6 through 3.10.5, potentially impacting a wide range of systems that rely on sandboxed JavaScript execution. The prototype pollution can compromise the integrity and security of the host application.

Recommendation

  • Upgrade to a patched version of vm2 that addresses CVE-2026-44005.
  • Monitor for attempts to access __proto__ via __lookupGetter__ within vm2 sandboxes using the Detect VM2 Prototype Access Sigma rule.
  • Implement additional input validation and sanitization to prevent malicious JavaScript code from being executed in the vm2 sandbox.
  • Consider alternative sandboxing solutions or code review practices to mitigate the risk of sandbox escape vulnerabilities.
]]>criticaladvisorysandbox-escapeprototype-pollutionjavascript