Critical Vulnerabilities in vm2 Node.js Library Allow Sandbox Escape and Arbitrary Code Execution
A series of critical security vulnerabilities have been identified in the vm2 Node.js library, potentially enabling attackers to bypass sandbox protections and execute arbitrary code on affected systems.
vm2 is an open-source library designed to run untrusted JavaScript code within a secure sandbox environment. It achieves this by intercepting and proxying JavaScript objects, thereby preventing the sandboxed code from accessing the host environment.
The recently disclosed vulnerabilities are as follows:
– CVE-2026-24118 (CVSS score: 9.8): This flaw allows sandbox escape via the __lookupGetter__ method, enabling attackers to execute arbitrary code on the host system. It affects versions up to and including 3.10.4 and has been patched in version 3.11.0.
– CVE-2026-24120 (CVSS score: 9.8): Serving as a patch bypass for CVE-2023-37466, this vulnerability permits attackers to escape the sandbox through the species property of promise objects, leading to arbitrary command execution on the host. Versions up to and including 3.10.3 are affected, with a fix available in version 3.10.5.
– CVE-2026-24781 (CVSS score: 9.8): This issue enables sandbox escape via the inspect function, allowing attackers to run arbitrary code on the host system. It impacts versions up to and including 3.10.3 and has been addressed in version 3.11.0.
– CVE-2026-26332 (CVSS score: 9.8): By exploiting the SuppressedError feature, this vulnerability allows attackers to escape the sandbox and execute arbitrary code on the host. Affected versions include those up to and including 3.10.4, with a patch available in version 3.11.0.
– CVE-2026-26956 (CVSS score: 9.8): This flaw involves a protection mechanism failure, enabling sandbox escape and arbitrary code execution by triggering a TypeError through Symbol-to-string coercion. It affects version 3.10.4 (confirmed on Node.js 25.6.1) and has been patched in version 3.10.5.
– CVE-2026-43997 (CVSS score: 10.0): A code injection vulnerability that allows attackers to obtain the host Object and escape the sandbox, leading to arbitrary code execution. Versions up to and including 3.10.5 are affected, with a fix in version 3.11.0.
– CVE-2026-43999 (CVSS score: 9.9): This vulnerability enables attackers to bypass NodeVM’s built-in allowlist, allowing the loading of excluded built-in modules like child_process and achieving remote code execution. It affects version 3.10.5 and has been patched in version 3.11.0.
– CVE-2026-44005 (CVSS score: 10.0): This issue allows attacker-controlled JavaScript to escape the sandbox and perform prototype pollution. Versions from 3.9.6 to 3.10.5 are affected, with a fix in version 3.11.0.
– CVE-2026-44006 (CVSS score: 10.0): A code injection vulnerability via BaseHandler.getPrototypeOf that enables sandbox escape and remote code execution. Versions up to and including 3.10.5 are affected, with a patch in version 3.11.0.
– CVE-2026-44007 (CVSS score: 9.1): An improper access control vulnerability that allows sandbox escape and execution of arbitrary operating system commands on the host. Versions up to and including 3.11.0 are affected, with a fix in version 3.11.1.
– CVE-2026-44008 (CVSS score: 9.8): This flaw allows sandbox escape via neutralizeArraySpeciesBatch(), permitting attackers to execute arbitrary commands on the host. Versions up to and including 3.11.1 are affected, with a patch in version 3.11.2.
– CVE-2026-44009 (CVSS score: 9.8): A vulnerability that allows sandbox escape via a null proto exception, enabling attackers to execute arbitrary commands on the host. Versions up to and including 3.11.1 are affected, with a fix in version 3.11.2.
These disclosures follow the release of patches for another critical sandbox escape flaw (CVE-2026-22709, CVSS score: 9.8) by vm2 maintainer Patrik Simek a few months prior. This earlier vulnerability also had the potential to lead to arbitrary code execution on the host system.
The recurrence of such vulnerabilities underscores the challenges associated with securely isolating untrusted code in JavaScript-based sandbox environments. Simek has previously acknowledged the likelihood of future bypasses being discovered. Users of vm2 are strongly advised to update to the latest version (3.11.2) to ensure optimal protection against these vulnerabilities.
