top of page
perceptive_background_267k.jpg

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to …

Published:

3 May 2026 at 22:00:00

Alert date:

4 May 2026 at 18:09:25

Source:

nvd.nist.gov

Click to open the original link from this advisory

Supply Chain & Dependencies, Web Technologies

VM2, an open source virtual machine/sandbox for Node.js, contains a critical vulnerability (CVE-2026-24120) that allows attackers to escape from the sandbox and execute arbitrary commands on the host system. This vulnerability represents an insufficient fix for a previous issue (CVE-2023-37466) and affects versions prior to 3.10.5. The vulnerability enables sandbox escape attacks, which could lead to complete system compromise. The issue has been patched in version 3.10.5, and users should upgrade immediately to prevent exploitation.

Technical details

Mitigation steps:

Affected products:

vm2
Node.js

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-24120
https://github.com/patriksimek/vm2/releases/tag/v3.10.5
https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page