Vulnerability Details CVE-2026-44005
vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox This vulnerability is fixed in 3.11.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 28.5%
CVSS Severity
CVSS v3 Score 10.0
References
Products affected by CVE-2026-44005
-
cpe:2.3:a:vm2_project:vm2:3.10.0
-
cpe:2.3:a:vm2_project:vm2:3.10.1
-
cpe:2.3:a:vm2_project:vm2:3.10.2
-
cpe:2.3:a:vm2_project:vm2:3.10.3
-
cpe:2.3:a:vm2_project:vm2:3.10.4
-
cpe:2.3:a:vm2_project:vm2:3.10.5
-
cpe:2.3:a:vm2_project:vm2:3.9.10
-
cpe:2.3:a:vm2_project:vm2:3.9.11
-
cpe:2.3:a:vm2_project:vm2:3.9.12
-
cpe:2.3:a:vm2_project:vm2:3.9.13
-
cpe:2.3:a:vm2_project:vm2:3.9.14
-
cpe:2.3:a:vm2_project:vm2:3.9.15
-
cpe:2.3:a:vm2_project:vm2:3.9.16
-
cpe:2.3:a:vm2_project:vm2:3.9.17
-
cpe:2.3:a:vm2_project:vm2:3.9.18
-
cpe:2.3:a:vm2_project:vm2:3.9.19
-
cpe:2.3:a:vm2_project:vm2:3.9.6
-
cpe:2.3:a:vm2_project:vm2:3.9.7
-
cpe:2.3:a:vm2_project:vm2:3.9.8
-
cpe:2.3:a:vm2_project:vm2:3.9.9