Sandbox Escape Vulnerability in vm2 for Node.js
CVE-2026-44001

8.6HIGH

Key Information:

Vendor: Patriksimek
Status: Vm2
Vendor: CVE Published:; 13 May 2026

🔔 Create Patriksimek Vulnerability Alert

What is CVE-2026-44001?

The vm2 library, utilized for creating sandboxes in Node.js, has a vulnerability prior to version 3.11.0 that allows sandboxed code to compromise the Node.js host process. This issue arises from a flaw in the handling of unhandled promise rejections. Specifically, the executor function of a Promise can cause the host to crash if it triggers an unhandled rejection. Previous fixes only addressed certain callback scenarios and inadequately managed the executor-to-unhandledRejection pathway, necessitating an upgrade to at least version 3.11.0 to mitigate the risk.

Affected Version(s)

vm2 < 3.11.0

References

https://github.com/patriksimek/vm2/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-44001 Data

JSON