CVE-2026-44007

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless of the outer VM's require configuration — including require: false. With access to vm2, the sandbox constructs a new inner NodeVM with its own unrestricted require settings and executes arbitrary OS commands on the host. Any application that runs untrusted code inside a NodeVM with nesting: true is fully compromised. This vulnerability is fixed in 3.11.1.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/patriksimek/vm2/security/advisories/GHSA-8hg8-63c5-gwmx	Exploit Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/05/05/11	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*

History

14 May 2026, 15:18

Type	Values Removed	Values Added
References	~~() https://github.com/patriksimek/vm2/security/advisories/GHSA-8hg8-63c5-gwmx -~~	() https://github.com/patriksimek/vm2/security/advisories/GHSA-8hg8-63c5-gwmx - Exploit, Vendor Advisory
References	~~() http://www.openwall.com/lists/oss-security/2026/05/05/11 -~~	() http://www.openwall.com/lists/oss-security/2026/05/05/11 - Mailing List, Third Party Advisory
CPE		cpe:2.3:a:vm2_project:vm2::::::node.js::*
First Time		Vm2 Project vm2 Vm2 Project

13 May 2026, 18:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-13 18:16

Updated : 2026-05-14 15:18

NVD link : CVE-2026-44007

Mitre link : CVE-2026-44007

CVE.ORG link : CVE-2026-44007

JSON object : View

Products Affected

vm2_project

CWE

CWE-284

Improper Access Control

9.1 /10