Twelve Critical Vulnerabilities in vm2 Node.js Library Enable Sandbox Escape and Arbitrary Code Execution

TL;DR Twelve critical vulnerabilities have been disclosed in the vm2 Node.js sandbox library, all permitting attackers to escape the sandbox and execute arbitrary code on the host system. The flaws span multiple attack vectors including prototype pollution, code injection, and object property manipulation. Users running vm2 versions 3.10.4 and earlier should update immediately to version 3.11.2.

What happened

Twelve sandbox escape vulnerabilities have been discovered in vm2, an open-source Node.js library designed to run untrusted JavaScript code inside a secure sandbox by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host environment.

The vulnerabilities span a range of escape mechanisms:

• CVE-2026-24118 (CVSS 9.8): Sandbox escape via __lookupGetter__, affecting versions ≤3.10.4, patched in 3.11.0.
• CVE-2026-24120 (CVSS 9.8): Patch bypass for CVE-2023-37466 allowing escape through promise object species property, affecting versions ≤3.10.3, patched in 3.10.5.
• CVE-2026-24781 (CVSS 9.8): Sandbox escape via the inspect function, affecting versions ≤3.10.3, patched in 3.11.0.
• CVE-2026-26332 (CVSS 9.8): Escape via SuppressedError, affecting versions ≤3.10.4, patched in 3.11.0.
• CVE-2026-26956 (CVSS 9.8): Protection mechanism failure triggered by Symbol-to-string coercion TypeError. Confirmed on Node.js 25.6.1. Affects version 3.10.4, patched in 3.10.5.
• CVE-2026-43997 (CVSS 10.0): Code injection enabling attacker access to the host Object, affecting versions ≤3.10.5, patched in 3.11.0.
• CVE-2026-43999 (CVSS 9.9): Bypass of NodeVM's built-in allowlist, allowing loading of excluded builtins such as child_process, affecting version 3.10.5, patched in 3.11.0.
• CVE-2026-44005 (CVSS 10.0): Escape enabling prototype pollution, affecting versions 3.9.6–3.10.5, patched in 3.11.0.
• CVE-2026-44006 (CVSS 10.0): Code injection via BaseHandler.getPrototypeOf, affecting versions ≤3.10.5, patched in 3.11.0.
• CVE-2026-44007 (CVSS 9.1): Improper access control permitting arbitrary operating system command execution, affecting versions ≤3.11.0, patched in 3.11.1.
• CVE-2026-44008 (CVSS 9.8): Escape via neutralizeArraySpeciesBatch(), affecting versions ≤3.11.1, patched in 3.11.2.
• CVE-2026-44009 (CVSS 9.8): Escape via null proto exception, affecting versions ≤3.11.1, patched in 3.11.2.

This disclosure follows a prior critical vulnerability (CVE-2026-22709, CVSS 9.8) patched by vm2 maintainer Patrik Simek a couple of months earlier. Simek has acknowledged that new sandbox bypasses will likely be discovered in the future, suggesting structural challenges in isolating untrusted JavaScript execution.

Why it matters

vm2 is widely used in applications requiring execution of user-supplied or third-party JavaScript code with restricted access to the host system. This includes serverless compute platforms, code sandboxing services, and application plugin systems. A successful sandbox escape grants an attacker the same privileges as the Node.js process, potentially leading to:

• Unauthorized access to sensitive data on the host system
• Lateral movement within networked infrastructure
• Compromise of CI/CD pipelines if vm2 is used for code evaluation
• Supply chain attacks if used in package management or code analysis tools

The density of vulnerabilities—twelve critical flaws in a relatively narrow version range—indicates systemic design issues in how the library isolates execution contexts. The presence of both single-vector bypasses (e.g., CVE-2026-24118) and bypasses of previous patches (CVE-2026-24120) suggests attackers may chain multiple techniques or rapidly discover new escape vectors.

Affected systems and CVEs

• vm2 (Node.js library)
  • CVE-2026-24118 (CVSS 9.8)
  • CVE-2026-24120 (CVSS 9.8)
  • CVE-2026-24781 (CVSS 9.8)
  • CVE-2026-26332 (CVSS 9.8)
  • CVE-2026-26956 (CVSS 9.8)
  • CVE-2026-43997 (CVSS 10.0)
  • CVE-2026-43999 (CVSS 9.9)
  • CVE-2026-44005 (CVSS 10.0)
  • CVE-2026-44006 (CVSS 10.0)
  • CVE-2026-44007 (CVSS 9.1)
  • CVE-2026-44008 (CVSS 9.8)
  • CVE-2026-44009 (CVSS 9.8)

What to do

• Update vm2 to version 3.11.2 immediately. This version addresses all twelve vulnerabilities.
• If version 3.11.2 is unavailable in your environment, apply the minimum version patch for the specific CVE:
  • For CVE-2026-24118, -24781, -26332, -43997, -43999, -44005, -44006: update to 3.11.0 or later
  • For CVE-2026-24120, -26956: update to 3.10.5 or later
  • For CVE-2026-44007: update to 3.11.1 or later
  • For CVE-2026-44008, -44009: update to 3.11.2 or later
• Audit deployment logs for evidence of vm2 usage and prioritize patching systems that execute untrusted code.
• If upgrading is blocked, consider restricting vm2 to non-networked or air-gapped environments and limiting the Node.js process capabilities via OS-level sandboxing (e.g., seccomp, AppArmor, SELinux).
• Evaluate whether vm2 remains the appropriate choice for your use case, given the pattern of vulnerability discovery documented by the maintainer.

Open questions

• Whether any of these twelve vulnerabilities have been exploited in the wild.
• The specific timeline of discovery and responsible disclosure for each CVE.
• Whether other JavaScript sandbox libraries (such as isolated-vm or worker_threads) are affected by similar bypass techniques.
• Availability of proof-of-concept code or attack demonstrations.

Source

vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution