Critical Vulnerabilities in vm2 Node.js Library Enable Sandbox Escape and Arbitrary Code Execution
A series of critical security vulnerabilities have been identified in the vm2 Node.js library, potentially allowing attackers to bypass sandbox protections and execute arbitrary code on affected systems. These vulnerabilities, each assigned a Common Vulnerabilities and Exposures (CVE) identifier, highlight significant risks for applications relying on vm2 for secure execution of untrusted code.
Overview of vm2 and Its Importance
vm2 is an open-source Node.js library designed to run untrusted JavaScript code within a secure, isolated environment. By intercepting and proxying JavaScript objects, vm2 prevents sandboxed code from accessing the host environment, thereby mitigating potential security threats. This functionality is crucial for applications that need to execute user-generated scripts safely, such as online code editors, testing frameworks, and other platforms that incorporate third-party code execution.
Detailed Analysis of the Vulnerabilities
The recently disclosed vulnerabilities in vm2 are severe, with most carrying a CVSS (Common Vulnerability Scoring System) score of 9.8 or higher, indicating critical severity. These flaws could be exploited to escape the sandbox environment and execute arbitrary code on the host system. Below is a detailed examination of each vulnerability:
1. CVE-2026-24118 (CVSS score: 9.8): This vulnerability allows attackers to escape the sandbox via the __lookupGetter__ method, enabling the execution of arbitrary code on the host system. It affects vm2 versions up to and including 3.10.4 and has been patched in version 3.11.0.
2. CVE-2026-24120 (CVSS score: 9.8): Serving as a patch bypass for a previous vulnerability (CVE-2023-37466), this flaw permits sandbox escape through the species property of promise objects, leading to arbitrary command execution on the host. It impacts versions up to 3.10.3 and is fixed in version 3.10.5.
3. CVE-2026-24781 (CVSS score: 9.8): This issue allows sandbox escape via the inspect function, granting attackers the ability to run arbitrary code on the host system. Affected versions include those up to 3.10.3, with patches available in version 3.11.0.
4. CVE-2026-26332 (CVSS score: 9.8): Exploiting the SuppressedError feature, this vulnerability enables sandbox escape and arbitrary code execution on the host. It affects versions up to 3.10.4 and has been addressed in version 3.11.0.
5. CVE-2026-26956 (CVSS score: 9.8): This flaw involves a protection mechanism failure, allowing sandbox escape and arbitrary code execution by triggering a TypeError through Symbol-to-string coercion. It affects version 3.10.4 (confirmed on Node.js 25.6.1) and is patched in version 3.10.5.
6. CVE-2026-43997 (CVSS score: 10.0): A code injection vulnerability that enables attackers to obtain the host Object and escape the sandbox, leading to arbitrary code execution. This issue affects versions up to 3.10.5 and is fixed in version 3.11.0.
7. CVE-2026-43999 (CVSS score: 9.9): This vulnerability allows bypassing NodeVM’s built-in allowlist, enabling attackers to load excluded built-in modules like child_process and achieve remote code execution. It affects version 3.10.5 and has been patched in version 3.11.0.
8. CVE-2026-44005 (CVSS score: 10.0): This issue permits attacker-controlled JavaScript to escape the sandbox and perform prototype pollution, potentially leading to arbitrary code execution. Affected versions range from 3.9.6 to 3.10.5, with patches available in version 3.11.0.
9. CVE-2026-44006 (CVSS score: 10.0): A code injection vulnerability via BaseHandler.getPrototypeOf that allows sandbox escape and remote code execution. It affects versions up to 3.10.5 and is addressed in version 3.11.0.
10. CVE-2026-44007 (CVSS score: 9.1): This flaw involves improper access control, enabling sandbox escape and execution of arbitrary operating system commands on the host. It affects versions up to 3.11.0 and has been patched in version 3.11.1.
11. CVE-2026-44008 (CVSS score: 9.8): Exploiting the neutralizeArraySpeciesBatch() function, this vulnerability allows sandbox escape and execution of arbitrary commands on the host. It affects versions up to 3.11.1 and is fixed in version 3.11.2.
12. CVE-2026-44009 (CVSS score: 9.8): This issue enables sandbox escape via a null prototype exception, permitting attackers to execute arbitrary commands on the host. Affected versions include those up to 3.11.1, with patches available in version 3.11.2.
Implications and Recommendations
The discovery of these vulnerabilities underscores the challenges in maintaining secure sandbox environments, especially when dealing with untrusted code execution. For developers and organizations utilizing vm2, it is imperative to:
– Update Immediately: Ensure that vm2 is updated to the latest version (3.11.2 or higher) to incorporate patches for these vulnerabilities.
– Review Security Practices: Regularly assess and update security protocols to mitigate potential risks associated with sandbox escapes.
– Consider Alternative Solutions
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
