CVE-2026-44007: RCE in vm2 Node.js Sandbox
Platform
nodejs
Component
vm2
Fixed in
3.11.1
CVE-2026-44007 is a Remote Code Execution (RCE) vulnerability affecting the vm2 Node.js sandbox library. This vulnerability arises when the nesting: true option is enabled during NodeVM creation, allowing untrusted code within the sandbox to bypass require restrictions and execute arbitrary commands on the host system. The vulnerability impacts versions 0.0.0 through 3.10.0 of vm2, and a fix is available in version 3.11.1.
Impact and Attack Scenarios
The impact of CVE-2026-44007 is severe. An attacker who can inject code into a NodeVM with nesting: true can effectively gain complete control over the host system. This is because the vulnerability allows the sandbox code to bypass the intended security restrictions and execute arbitrary OS commands. This could lead to data exfiltration, system compromise, and potentially, lateral movement within the network. The ability to execute arbitrary commands mirrors the impact of vulnerabilities like Log4Shell, where a simple crafted input can lead to full system takeover. The blast radius extends to any application relying on vm2 for sandboxing untrusted code, making it a widespread concern.
Exploitation Context
CVE-2026-44007 was published on May 13, 2026. The vulnerability's severity is considered CRITICAL with a CVSS score of 9.1. Currently, there are no publicly available exploits or active campaigns targeting this vulnerability, but the ease of exploitation makes it a high-priority concern. The vulnerability is not currently listed on KEV or EPSS, but the high CVSS score suggests a medium to high probability of exploitation if a public exploit is released. Refer to the official vm2 advisory for further details.
Threat Intelligence
Exploit Status
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- High — admin or privileged account required to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2026-44007 is to upgrade to vm2 version 3.11.1 or later. If upgrading is not immediately feasible due to compatibility issues, consider disabling the nesting: true option in your NodeVM configuration. This will prevent the vulnerable code execution path, but may impact the functionality of your application. As a temporary workaround, implement strict input validation and sanitization for any code executed within the sandbox to minimize the potential for malicious code injection. Monitor system logs for suspicious activity related to Node.js processes, particularly those utilizing vm2. After upgrading, confirm the fix by attempting to create a NodeVM with nesting: true and verifying that the require restrictions are properly enforced.
How to fix
Actualice a la versión 3.11.1 o superior de la biblioteca vm2. Esta versión corrige la vulnerabilidad al asegurar que la opción 'require: false' se aplique correctamente, evitando la ejecución de código arbitrario fuera del sandbox.
Frequently asked questions
What is CVE-2026-44007 — RCE in vm2 Node.js Sandbox?
CVE-2026-44007 is a critical Remote Code Execution vulnerability in the vm2 Node.js sandbox library. It allows attackers to execute arbitrary code on the host system if the 'nesting: true' option is enabled.
Am I affected by CVE-2026-44007 in vm2?
You are affected if you are using vm2 versions 0.0.0 through 3.10.0 and have the nesting: true option enabled in your NodeVM configuration.
How do I fix CVE-2026-44007 in vm2?
Upgrade to vm2 version 3.11.1 or later. If immediate upgrade is not possible, disable the nesting: true option or implement strict input validation.
Is CVE-2026-44007 being actively exploited?
Currently, there are no publicly known exploits or active campaigns targeting this vulnerability, but its severity and ease of exploitation make it a high-priority concern.
Where can I find the official vm2 advisory for CVE-2026-44007?
Refer to the official vm2 project repository and related security advisories for the latest information and updates regarding CVE-2026-44007.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...