CVE-2026-44002: vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak

May 7, 2026

vm2’s CallSite wrapper class (intended as a safe wrapper for V8’s native CallSite) blocks getThis() and getFunction() to prevent host object leakage, but allows getFileName() to return unsanitized host absolute paths. Any sandboxed code can extract the full directory structure, library paths, and framework versions of the host server.

References

github.com/advisories/GHSA-v27g-jcqj-v8rw
github.com/patriksimek/vm2
github.com/patriksimek/vm2/releases/tag/v3.11.0
github.com/patriksimek/vm2/security/advisories/GHSA-v27g-jcqj-v8rw
nvd.nist.gov/vuln/detail/CVE-2026-44002

Code Behaviors & Features

Detect and mitigate CVE-2026-44002 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →