CVE-2026-44003

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.0

Description A performance optimization in the code transformer skips AST (Abstract Syntax Tree) analysis when the code does not contain the keywords catch, import, or async. This fast-path bypass allows sandboxed code to directly access the internal VM2 INTERNAL STATE DO NOT USE OR PROGRAM WILL FAIL variable, exposing internal security functions including handleException(), wrapWith(), and import(). This occurs because the AST visitor designed to block access to the internal state and the instrumentation for with statements are bypassed when the regex check is not triggered.

Recommendations Update to version 3.11.0.