DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24120: CVE-2026-24120: Remote Code Execution via Promise Species Hijacking in vm2 Sandbox

#security #cve #cybersecurity

CVE-2026-24120: Remote Code Execution via Promise Species Hijacking in vm2 Sandbox

Vulnerability ID: CVE-2026-24120
CVSS Score: 9.8
Published: 2026-05-05

An incomplete mitigation for a previous sandbox escape in the vm2 Node.js module allows attackers to execute arbitrary code on the host system. By manipulating Promise species and intercepting internal method calls via prototype pollution, attackers bypass sandbox protections and gain full host access.

TL;DR

vm2 prior to version 3.10.5 contains a critical sandbox escape (CVSS 9.8). Attackers bypass internal security wrappers by overwriting Function.prototype.call and hijacking Promise creation, achieving unauthenticated remote code execution on the host system.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-94, CWE-693
  • Attack Vector: Network
  • CVSS Score: 9.8 (Critical)
  • EPSS Score: 0.00080 (23.22%)
  • Exploit Status: Proof of Concept Available
  • KEV Status: Not Listed

Affected Systems

  • Node.js applications running vm2 versions < 3.10.5
  • vm2: < 3.10.5 (Fixed in: 3.10.5)

Code Analysis

Commit: 4b009c2

Fix Function.prototype.call interception in Promise wrappers

- return globalPromiseThen.call(this, onFulfilled, onRejected);
+ return apply(globalPromiseThen, this, [onFulfilled, onRejected]);
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade vm2 to version 3.10.5 immediately
  • Migrate to alternative isolation technologies (WebAssembly, Docker, Firecracker)
  • Implement strong EDR rules to detect child_process spawning from Node.js

Remediation Steps:

  1. Identify all projects and transitive dependencies relying on vm2.
  2. Update package.json and lockfiles to enforce vm2 >= 3.10.5.
  3. Run unit and integration tests to ensure standard functionality remains unaffected by the update.
  4. Initiate an architectural review to deprecate usage of V8-based sandboxing for untrusted code execution.

References

Read the full report for CVE-2026-24120 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)