vm2 Sandbox Escape (CVE-2026-44007) Allows Arbitrary OS Commands
A critical vulnerability, CVE-2026-44007, has been identified in vm2, an open-source sandbox for Node.js. The National Vulnerability Database reports that prior to version 3.11.1, if a NodeVM is initialized with nesting: true, sandboxed code can bypass require configuration restrictions and load vm2 itself. This effectively allows the sandbox to construct a new inner NodeVM with unrestricted require settings.
This flaw enables the execution of arbitrary operating system commands on the host machine. Any application that processes untrusted code within a NodeVM instance configured with nesting: true is fully compromised. The National Vulnerability Database assigns this a CVSS score of 9.1 (CRITICAL), underscoring the severe impact and ease of exploitation.
The implications are straightforward: if you’re using vm2 to isolate untrusted Node.js code, and you’ve enabled nesting: true, your isolation is an illusion. Attackers can break out and run commands on the underlying system. The fix is available in vm2 version 3.11.1, and immediate patching is non-negotiable for affected deployments.
What This Means For You
- If your Node.js applications use vm2 with `nesting: true` to sandbox untrusted code, you are fully exposed to arbitrary OS command execution. Immediately patch vm2 to version 3.11.1 or higher. Audit your `NodeVM` configurations to ensure `nesting` is not enabled unless absolutely necessary and understood, and even then, patch.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-44007 - vm2 Sandbox Escape via Nested VM Creation
title: CVE-2026-44007 - vm2 Sandbox Escape via Nested VM Creation
id: scw-2026-05-13-ai-1
status: experimental
level: critical
description: |
This rule detects the execution of Node.js with the vm2 library, specifically looking for the pattern indicative of the CVE-2026-44007 sandbox escape. The vulnerability allows an attacker to bypass sandbox restrictions by creating a nested VM and executing arbitrary OS commands. This detection targets the direct invocation of 'require(\'vm2\')' within a Node.js process, which is a core component of the exploit chain.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-44007/
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
detection:
selection:
Image|startswith:
- 'C:\Program Files
odejs
ode.exe'
CommandLine|contains:
- 'require(\'vm2\')'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-44007 | RCE | vm2 Node.js library versions prior to 3.11.1 |
| CVE-2026-44007 | RCE | vm2 NodeVM created with nesting: true |
| CVE-2026-44007 | RCE | Ability for sandbox code to require('vm2') unconditionally |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Daily Security Digest — 2026-05-13
41 vulnerability disclosures (10 Critical, 31 High) and 10 curated intelligence stories from 6 sources.
CVE-2026-8496 — Cross-Site Scripting (XSS)
CVE-2026-8496 — A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within...
Netty DoS Vulnerability (CVE-2026-42587) Bypasses Decompression Limits
CVE-2026-42587 — Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size...