Listen to this Post
The vm2 library implements a source code transformer that checks for catch, import, or `async` keywords (regex /\b(?:catch|import|async)\b/) to decide whether to run AST analysis. If the code lacks these keywords, the transformer fast‑path returns the code unmodified without performing any security instrumentation. This fast‑path bypass allows sandboxed code to directly access the internal variable VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL, which exposes helper functions such as handleException(), wrapWith(), and import(). Because the AST visitor that blocks access to that internal variable never runs, and `with()` statements are left unwrapped by wrapWith(), an attacker can read the internal state object. The vulnerable range includes vm2 versions 0.0.1 through 3.10.5. The issue is fixed in version 3.11.2.
dailycve form: Platform: Node.js vm2 Version: 0.0.1-3.10.5 Vulnerability: State variable exposure Severity: Moderate date: 2026-05-08 Prediction: Patched 2026-05-08
Analytics under heading What Undercode Say:
Check installed vm2 version
npm list vm2
Identify vulnerable instances (versions <3.11.2)
npm list vm2 | grep -E 'vm2@[0-9]+.[0-9]+.[0-9]+' | while read line; do
ver=$(echo $line | grep -oE '[0-9]+.[0-9]+.[0-9]+')
if [ "$(printf '%s\n' "3.11.2" "$ver" | sort -V | head -n1)" != "3.11.2" ]; then
echo "Vulnerable: $ver"
fi
done
Simulate the fast‑path bypass (PoC)
node -e "const {VM}=require('vm2'); const vm=new VM(); console.log(vm.run('var x=VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL; Object.keys(x).join(\",\")'))"
Exploit:
The attacker supplies code without catch, import, or `async` keywords. The transformer fast‑path is taken, and the sandboxed code directly reads VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL. Example: `var x = VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL; Object.keys(x).join(“,”)` returns "wrapWith,handleException,import". Using `with()` can further manipulate the scope. The exposed state object provides a beachhead for chaining to other sandbox escape techniques (e.g., CVE-2026-26956, CVE-2026-44007).
Protection from this CVE
1. Upgrade vm2 to 3.11.2 or higher.
- If immediate upgrade is impossible, override the transformer logic to always perform AST analysis by removing the fast‑path check in `lib/transformer.js:55-57` and adding a check for the internal state variable name.
- Avoid exposing the vm2 sandbox to untrusted user input until the upgrade is applied.
Impact
- Security control bypass – The internal state name restriction is completely ineffective when the code avoids the specified keywords.
- Defense‑in‑depth violation – Internal helper functions (
wrapWith,handleException,import) are exposed, creating an attack surface for future code changes. - Latent RCE risk – While the exposed methods are currently defensive, any future addition of a sensitive method to the internal state object would be immediately exploitable, leading to sandbox escape and remote code execution.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
