Description
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL variable, which exposes internal security functions (handleException, wrapWith, import). This vulnerability is fixed in 3.11.0.
Published: 2026-05-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in vm2 allows a sandboxed script to bypass a performance optimization that normally performs an AST analysis step. By omitting catch, import, and async statements, the fast‑path bypass grants direct access to the internal variable VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL, which holds critical internal functions such as handleException, wrapWith, and import. This exposure can enable an attacker to manipulate the sandbox’s exception handling or import logic, potentially leading to privileged code execution within the sandbox environment. The weakness corresponds to CWE‑693 for failure to restrict operations to authorized users.

Affected Systems

The affected product is vm2, an open‑source virtual machine/sandbox for Node.js, from vendor patriksimek. All releases prior to version 3.11.0 are vulnerable; versions 3.11.0 and later contain the fix.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely an attacker running arbitrary JavaScript code inside the vulnerable vm2 sandbox, exploiting the fast‑path bypass by writing code that omits catch, import, or async keywords. By doing so, the attacker can read or alter critical internal functions without triggering the normal security checks.

Generated by OpenCVE AI on May 13, 2026 at 20:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to vm2 version 3.11.0 or later to eliminate the fast‑path bypass fixed by the vendor.
  • As a temporary measure, patch the local vm2 installation to remove or neutralize the exposed internal variable, for example by replacing VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL with a harmless placeholder or by overriding its critical functions.
  • Run sandboxed code in a separate, minimally privileged process and enforce strict inter‑process boundaries to reduce the impact of any potential exploitation of internal state.

Generated by OpenCVE AI on May 13, 2026 at 20:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wp5r-2gw5-m7q7 vm2's Transformer Fast-Path Bypass Exposes Internal State Variable
History

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Vm2 Project
Vm2 Project vm2
CPEs cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*
Vendors & Products Vm2 Project
Vm2 Project vm2

Wed, 13 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Patriksimek
Patriksimek vm2
Vendors & Products Patriksimek
Patriksimek vm2

Wed, 13 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL variable, which exposes internal security functions (handleException, wrapWith, import). This vulnerability is fixed in 3.11.0.
Title vm2: Transformer Fast-Path Bypass Exposes Internal State Variable
Weaknesses CWE-693
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Patriksimek Vm2
Vm2 Project Vm2
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T18:41:25.611Z

Reserved: 2026-05-04T21:24:36.505Z

Link: CVE-2026-44003

cve-icon Vulnrichment

Updated: 2026-05-13T18:41:19.191Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T18:16:16.997

Modified: 2026-05-14T15:22:34.950

Link: CVE-2026-44003

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T20:15:04Z

Weaknesses