top of page
perceptive_background_267k.jpg

vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution

Published:

7 May 2026 at 04:15:00

Alert date:

7 May 2026 at 05:02:56

Source:

thehackernews.com

Click to open the original link from this advisory

Web Technologies, Supply Chain & Dependencies, Zero-Day Vulnerabilities

A dozen critical security vulnerabilities have been disclosed in the vm2 Node.js library that enable sandbox escape and arbitrary code execution. The vm2 library is designed to run untrusted JavaScript code inside a secure sandbox by intercepting and proxying JavaScript objects to prevent access to the host system. These vulnerabilities compromise the fundamental security model of the sandbox, allowing attackers to break out and execute malicious code on vulnerable systems. The flaws represent a significant threat to applications relying on vm2 for secure code execution isolation.

Technical details

Twelve critical security vulnerabilities discovered in the vm2 Node.js library that enable sandbox escape and arbitrary code execution. The vulnerabilities exploit various JavaScript mechanisms including __lookupGetter__, promise species properties, inspect functions, SuppressedError, Symbol-to-string coercion, host Object access, NodeVM allowlist bypass, prototype pollution, BaseHandler.getPrototypeOf, neutralizeArraySpeciesBatch(), and null proto exceptions. These flaws allow attackers to break out of the secure sandbox environment designed to run untrusted JavaScript code and execute arbitrary commands on the underlying host system.

Mitigation steps:

Users of vm2 are advised to update to the latest version (3.11.2) for optimal protection. Apply patches according to the version-specific guidance: update to 3.11.0 for CVE-2026-24118, CVE-2026-24781, CVE-2026-26332, CVE-2026-43997, CVE-2026-43999, CVE-2026-44005, CVE-2026-44006; update to 3.10.5 for CVE-2026-24120, CVE-2026-26956; update to 3.11.1 for CVE-2026-44007; and update to 3.11.2 for CVE-2026-44008, CVE-2026-44009.

Affected products:

vm2 Node.js library versions <= 3.10.4
vm2 Node.js library versions <= 3.10.3
vm2 Node.js library version 3.10.4
vm2 Node.js library versions <= 3.10.5
vm2 Node.js library version 3.10.5
vm2 Node.js library versions 3.9.6-3.10.5
vm2 Node.js library versions <= 3.11.0
vm2 Node.js library versions <= 3.11.1

Related links:

https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p
https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p
https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c
https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95
https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66
https://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6
https://github.com/patriksimek/vm2/security/advisories/GHSA-947f-4v7f-x2v8
https://github.com/patriksimek/vm2/security/advisories/GHSA-vwrp-x96c-mhwq
https://github.com/patriksimek/vm2/security/advisories/GHSA-qcp4-v2jj-fjx8
https://github.com/patriksimek/vm2/security/advisories/GHSA-8hg8-63c5-gwmx
https://github.com/patriksimek/vm2/security/advisories/GHSA-9qj6-qjgg-37qq
https://github.com/patriksimek/vm2/security/advisories/GHSA-9vg3-4rfj-wgcm
https://github.com/patriksimek/vm2/releases/tag/v3.11.2
https://thehackernews.com/2026/01/critical-vm2-nodejs-flaw-allows-sandbox.html

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page