DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24118: CVE-2026-24118: Remote Code Execution via Sandbox Escape in vm2

#security #cve #cybersecurity

CVE-2026-24118: Remote Code Execution via Sandbox Escape in vm2

Vulnerability ID: CVE-2026-24118
CVSS Score: 9.8
Published: 2026-05-04

A critical vulnerability in the vm2 Node.js sandbox library allows attackers to bypass isolation mechanisms and execute arbitrary code on the host system. The flaw stems from insufficient sanitization of cross-realm object interactions and V8 internal algorithm behaviors.

TL;DR

vm2 prior to 3.11.0 fails to properly isolate JavaScript realms, allowing attackers to leverage context-confusion, reflective API traps, and V8's ArraySpeciesCreate algorithm to leak the host Function constructor and achieve remote code execution.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • CWE ID: CWE-693
  • Attack Vector: Network
  • CVSS Base Score: 9.8 CRITICAL
  • EPSS Score: N/A
  • Impact: Remote Code Execution (Sandbox Escape)
  • Exploit Status: Weaponized PoC Available
  • KEV Status: Not Listed

Affected Systems

  • Any Node.js application utilizing the vm2 library prior to version 3.11.0 for untrusted code execution.
  • vm2: < 3.11.0 (Fixed in: 3.11.0)

Code Analysis

Commit: f9b700b

Block Array species self-return via neutralize-and-restore pattern

Commit: 2b5f3e3

Coverage for descriptor-based bypasses with recursive proxy wrapping

Mitigation Strategies

  • Update vm2 to version 3.11.0 immediately to mitigate the specific exploit paths.
  • Initiate migration away from vm2 as the project is deprecated and fundamentally insecure by design.
  • Adopt strong isolation mechanisms such as OS-level containerization (Docker, gVisor) or WebAssembly (Wasm) runtimes.
  • Run Node.js processes with the principle of least privilege to limit the impact of a successful sandbox escape.

Remediation Steps:

  1. Identify all projects depending on vm2 via package managers (npm audit, yarn audit).
  2. Update package.json to require vm2 version ^3.11.0.
  3. Run dependency install commands and deploy updated applications.
  4. Begin architecture review to replace in-process sandboxing with out-of-process isolation.

References

Read the full report for CVE-2026-24118 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)