CVE-2026-44003: vm2's Transformer Fast-Path Bypass Exposes Internal State Variable

May 7, 2026

vm2’s code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL variable, which exposes internal security functions (handleException, wrapWith, import).

References

github.com/advisories/GHSA-wp5r-2gw5-m7q7
github.com/patriksimek/vm2
github.com/patriksimek/vm2/releases/tag/v3.11.0
github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7
nvd.nist.gov/vuln/detail/CVE-2026-44003

Code Behaviors & Features

Detect and mitigate CVE-2026-44003 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →