Improper Isolation or Compartmentalization in vm2 | CVE-2026-44000

Q: How to fix?

Upgrade vm2 to version 3.11.0 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-VM2-16439006
published7 May 2026
disclosed7 May 2026
creditfasrm

Report a new vulnerability Found a mistake?

Introduced: 7 May 2026

NewCVE-2026-44000 (opens in a new tab) CWE-653 (opens in a new tab)

How to fix?

Upgrade vm2 to version 3.11.0 or higher.

Overview

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the globalPromise.prototype.then onFulfilled wrapper in the Promise bridge. An attacker can supply a host Promise that resolves to an unmapped host object, such as an Object.create(null) instance or another host-realm class vm2 does not proto-map, and then invoke .then() from the sandbox to receive that object unwrapped. If the resolved value contains attacker-controlled methods, those methods execute in the host realm without passing through the bridge, allowing the attacker to run host-side code and break the isolation expected by the user.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
Low
Integrity (SI)
Low
Availability (SA)
None

Improper Isolation or Compartmentalization Affecting vm2 package, versions <3.11.0

Severity