CybersecurityVulnerability Management

vm2 Library Vulnerabilities Enable Sandbox Escape and Code Execution

Analyst 207||Source: TheHackerNews
Modern office workspace with a laptop and blank screen under ambient daylight.

A dozen critical security vulnerabilities have been disclosed in the vm2 Node.js library that could be exploited by bad actors to break out of the sandbox and execute arbitrary code on susceptible systems.

The dozen CVEs and their assessed severity

The newly disclosed flaws comprise twelve distinct Common Vulnerabilities and Exposures (CVEs), many carrying top-tier CVSS scores and grouped around sandbox escapes and code injection vectors. The vulnerabilities named in the disclosure are:

  • CVE-2026-24118 (CVSS 9.8) — sandbox escape via "__lookupGetter__", enabling arbitrary code execution. (Affects versions <= 3.10.4; patches in 3.11.0)
  • CVE-2026-24120 (CVSS 9.8) — a patch bypass for CVE-2023-37466, escape via the species property of Promise objects. (Affects versions <= 3.10.3; patched in 3.10.5)
  • CVE-2026-24781 (CVSS 9.8) — sandbox escape via the "inspect" function. (Affects versions <= 3.10.3; patches in 3.11.0)
  • CVE-2026-26332 (CVSS 9.8) — sandbox escape via "SuppressedError". (Affects versions <= 3.10.4; patches in 3.11.0)
  • CVE-2026-26956 (CVSS 9.8) — TypeError triggered by Symbol-to-string coercion leading to sandbox escape; confirmed on Node.js 25.6.1. (Affects version 3.10.4; patched in 3.10.5)
  • CVE-2026-43997 (CVSS 10.0) — code injection that allows obtaining the host Object and sandbox escape. (Affects versions <= 3.10.5; patched in 3.11.0)
  • CVE-2026-43999 (CVSS 9.9) — bypass of NodeVM's built-in allowlist enabling loading of excluded builtins like child_process. (Affects version 3.10.5; patched in 3.11.0)
  • CVE-2026-44005 (CVSS 10.0) — attacker-controlled JavaScript escapes the sandbox and enables prototype pollution. (Affects versions 3.9.6–3.10.5; patched in 3.11.0)
  • CVE-2026-44006 (CVSS 10.0) — code injection via BaseHandler.getPrototypeOf enabling sandbox escape and remote code execution. (Affects versions <= 3.10.5; patched in 3.11.0)
  • CVE-2026-44007 (CVSS 9.1) — improper access control allowing sandbox escape and execution of OS commands. (Affects versions <= 3.11.0; patched in 3.11.1)
  • CVE-2026-44008 (CVSS 9.8) — sandbox escape via neutralizeArraySpeciesBatch(); arbitrary command execution. (Affects versions <= 3.11.1; patched in 3.11.2)
  • CVE-2026-44009 (CVSS 9.8) — sandbox escape via a null proto exception; arbitrary command execution. (Affects versions <= 3.11.1; patched in 3.11.2)

How vm2's sandboxing model is defeated

vm2 is an open-source library designed to run untrusted JavaScript inside a secure sandbox by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host environment. The new disclosures show multiple distinct failure modes of that interception and proxying approach: direct code injection paths, property- or prototype-based bypasses (species, null proto, prototype pollution), accessor- and inspector-based escapes ("__lookupGetter__", "inspect"), built-in allowlist bypasses (allowing child_process), and coercion or exception-triggered failures (Symbol-to-string TypeErrors, SuppressedError).

Together, these vectors permit sandboxed code to obtain the host Object, load excluded builtins, perform prototype pollution, or otherwise run arbitrary commands and code on the underlying host when exploited on affected vm2 versions.

Affected versions, patches, and the single update to apply

The disclosure lists affected vm2 releases ranging from 3.9.6 through 3.11.1 depending on the CVE. Fixes are already published across a sequence of releases: several issues were patched in 3.11.0, some in 3.10.5 and 3.11.1, and the most recent fixes appear in 3.11.2.

The report advises users of vm2 to update to the latest version, 3.11.2, for optimal protection against the full set of disclosed issues.

Patrik Simek, prior fixes, and the disclosure timeline

The disclosure arrives a couple of months after vm2 maintainer Patrik Simek released patches for another critical sandbox escape flaw, CVE-2026-22709 (CVSS 9.8). The string of newly identified sandbox escapes follows Simek's prior acknowledgement that new bypasses would likely be discovered in the future.

Those earlier and current patches reflect an ongoing patch-and-discovery cycle centered on the difficulties of isolating untrusted JavaScript code in proxy-based sandboxes.

What this means for technologists, enterprises, and attackers

  • Technologists and security teams: Users running untrusted JavaScript via vm2 should prioritize updating to vm2 3.11.2 to cover the full set of disclosed fixes and review any runtime configurations that rely on NodeVM allowlists or builtins.
  • Affected enterprises and procurement leaders: Systems that depend on vm2 for sandboxing need inventory confirmation of the vm2 version in use and expedited patch deployment plans where versions fall within the affected ranges listed for each CVE.
  • Maintainers and open-source projects: The sequence of disclosures underscores the fragility of proxy- and interception-based sandbox strategies and the likelihood of continued bypass discovery; maintainers will need to keep tracking and patching emerging bypass techniques.

The disclosures make plain a persistent technical reality: sandboxing in JavaScript environments is brittle, and several independent failure modes can let attacker-controlled code reach the host. Immediate upgrading to vm2 3.11.2 is the concrete mitigation offered; beyond that, the record of repeated bypasses raises a clear question for projects that rely on vm2 — how to balance the convenience of in-process sandboxing with the recurring risk that new escapes will be found.

Original story: https://thehackernews.com/2026/05/vm2-nodejs-library-vulnerabilities.html

Code ExecutionEmerging ThreatsNode.JsSoftware VulnerabilitiesVulnerability ManagementSupply Chain Risksvm2 LibrarySandbox EscapeCVE-2026-24118CVE-2026-24120
Related Intelligence

Continue Reading

Close-up of a smartphone's circuit board with blurred background, components out of focus.

BootROM Exploit Targets Millions of iPhones

Millions of iPhones are vulnerable to a newly discovered BootROM exploit, known as "usbliter8", that can't be fixed with software updates because it's embedded in the device's hardware. This means iPhones with A12 and A13 processors will be at risk for the rest of their lifespan.

Analyst 207
Blurred laptop screen on office table surrounded by coworkers.

AI Agents Emerge as Unchecked Identities in Enterprise Security

The equation for enterprise security is no longer simple: with AI agents now connected to critical business services, controlling identities is no longer enough to control risk. These emerging insiders have quietly become privileged - and potentially invisible - attack paths that security and identity programs must urgently address.

Analyst 207
Security analysts work at computer workstations and a large wall screen in a brightly-lit operations center.

AI Shifts Threat Management from Reactive to Proactive Stance

With a sprawling security stack of 40+ tools, enterprise teams are drowning in overlapping alerts and manual handoffs, leaving gaping holes for adversaries to exploit. This disjointed approach leaves teams scrambling to respond to threats, with attackers enjoying a lengthy 43-day window to wreak havoc.

Analyst 207
Windows desktop with Recycle Bin open, showing a file and a confirmation dialog with a partially obscured filename.

Microsoft Updates Trigger Recycle Bin Filename Glitch

Microsoft just revealed a frustrating glitch in the Recycle Bin that displays a confusing filename when you permanently delete an item, showing a cryptic code instead of the file's original name. Luckily, the issue only affects the deletion confirmation dialog and doesn't change the file's name in the Recycle Bin or when it's restored.

Analyst 207