vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2INTERNALSTATEDONOTUSEORPROGRAMWILL_FAIL variable, which exposes internal security functions (handleException, wrapWith, import). This vulnerability is fixed in 3.11.0.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44003.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-693"
]
}{
"source": [
"AFFECTED_FIELD",
"CPE_RANGE"
],
"cpe": "cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "3.11.0"
}
]
}