Skip to content

Secure IT

Stay Secure. Stay Informed.

Primary Menu
  • Home
  • Sources
    • Krebs On Security
    • Security Week
    • The Hacker News
    • Schneier On Security
  • Home
  • The Hacker News
  • vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution
  • The Hacker News

vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution

[email protected] The Hacker News Published: May 7, 2026 | Updated: May 9, 2026 1 min read
2 views

Ravie LakshmananMay 07, 2026Vulnerability / Software Security

A dozen critical security vulnerabilities have been disclosed in the vm2 Node.js library that could be exploited by bad actors to break out of the sandbox and execute arbitrary code on susceptible systems.

vm2 is an open-source library used to run untrusted JavaScript code inside a secure sandbox by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host environment.

The security flaws are listed below –

  • CVE-2026-24118 (CVSS score: 9.8) – A vulnerability that allows sandbox escape via “__lookupGetter__” and permits an attacker to run arbitrary code on the underlying host. (Affects versions <= 3.10.4, patches in 3.11.0)
  • CVE-2026-24120 (CVSS score: 9.8) – A patch bypass for CVE-2023-37466 (CVSS score: 9.8) that could allow attackers to escape the sandbox through the species property of promise objects and execute arbitrary commands on the underlying host. (Affects versions <= 3.10.3, patched in 3.10.5)
  • CVE-2026-24781 (CVSS score: 9.8) – A vulnerability that allows sandbox escape via the “inspect” function and permits an attacker to run arbitrary code on the underlying host. (Affects versions <= 3.10.3, patches in 3.11.0)
  • CVE-2026-26332 (CVSS score: 9.8) – A vulnerability that allows sandbox escape via “SuppressedError” and permits an attacker to run arbitrary code on the underlying host. (Affects versions <= 3.10.4, patches in 3.11.0)
  • CVE-2026-26956 (CVSS score: 9.8) – A protection mechanism failure vulnerability that allows sandbox escape with arbitrary code execution by triggering a TypeError produced by Symbol-to-string coercion. (Affects version 3.10.4, confirmed on Node.js 25.6.1, patched in 3.10.5)
  • CVE-2026-43997 (CVSS score: 10.0) – A code injection vulnerability that allows an attacker to obtain the host Object and escape the sandbox, leading to arbitrary code execution. (Affects versions <= 3.10.5, patched in 3.11.0)
  • CVE-2026-43999 (CVSS score: 9.9) – A vulnerability that allows a bypass of NodeVM’s built-in allowlist and enables an attacker to load excluded builtins like child_process and achieve remote code execution. (Affects version 3.10.5, patched in 3.11.0)
  • CVE-2026-44005 (CVSS score: 10.0) – A vulnerability that allows attacker-controlled JavaScript to escape the sandbox and enable prototype pollution. (Affects versions 3.9.6-3.10.5, patched in 3.11.0)
  • CVE-2026-44006 (CVSS score: 10.0) – A code injection vulnerability via “BaseHandler.getPrototypeOf” that enables sandbox escape and remote code execution. (Affects versions <= 3.10.5, patched in 3.11.0)
  • CVE-2026-44007 (CVSS score: 9.1) – An improper access control vulnerability that allows sandbox escape and execution of arbitrary operating system commands on the underlying host. (Affects versions <= 3.11.0, patched in 3.11.1)
  • CVE-2026-44008 (CVSS score: 9.8) – A vulnerability that allows sandbox escape via “neutralizeArraySpeciesBatch()” and permits an attacker to execute arbitrary commands on the underlying host. (Affects versions <= 3.11.1, patched in 3.11.2)
  • CVE-2026-44009 (CVSS score: 9.8) – A vulnerability that allows sandbox escape via a null proto exception and permits an attacker to execute arbitrary commands on the underlying host. (Affects versions <= 3.11.1, patched in 3.11.2)

The disclosure comes a couple of months after vm2 maintainer Patrik Simek released patches for another critical sandbox escape flaw (CVE-2026-22709, CVSS score: 9.8) that could lead to arbitrary code execution on the underlying host system.

The string of newly identified sandbox escapes illustrates the challenge of securely isolating untrusted code in JavaScript-based sandbox environments, with Simek acknowledging previously that new bypasses will likely be discovered in the future. Users of vm2 are advised to update to the latest version (3.11.2) for optimal protection.

About The Author

[email protected] The Hacker News

See author's posts

Original post here

What do you feel about this?

  • The Hacker News

Post navigation

Previous: Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks
Next: PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux

Author's Other Posts

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now cpanel-3.jpg

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now

May 9, 2026 0 1
TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms banking.jpg

TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

May 9, 2026 0 0
Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads android-calls.jpg

Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads

May 9, 2026 0 0
One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches zz-webinar.jpg

One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches

May 9, 2026 0 1

Related Stories

cpanel-3.jpg
  • The Hacker News

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now

[email protected] The Hacker News May 9, 2026 0 1
banking.jpg
  • The Hacker News

TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

[email protected] The Hacker News May 9, 2026 0 0
android-calls.jpg
  • The Hacker News

Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads

[email protected] The Hacker News May 9, 2026 0 0
zz-webinar.jpg
  • The Hacker News

One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches

[email protected] The Hacker News May 9, 2026 0 1
kube.jpg
  • The Hacker News

Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise

[email protected] The Hacker News May 9, 2026 0 0
ai-soc.jpg
  • The Hacker News

One Missed Threat Per Week: What 25M Alerts Reveal About Low-Severity Risk

[email protected] The Hacker News May 9, 2026 0 1

Trending Now

Who Runs the Ransomware Group ‘The Gentlemen?’ Who Runs the Ransomware Group ‘The Gentlemen?’ 1

Who Runs the Ransomware Group ‘The Gentlemen?’

June 10, 2026 0 0
A Record-Breaking Patch Tuesday for June 2026 2

A Record-Breaking Patch Tuesday for June 2026

June 9, 2026 0 0
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts 3

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

June 1, 2026 0 0
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks 4

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

May 25, 2026 0 0

Connect with Us

Social menu is not set. You need to create menu and assign it to Social Menu on Menu Settings.

Trending News

Who Runs the Ransomware Group ‘The Gentlemen?’ Who Runs the Ransomware Group ‘The Gentlemen?’ 1
  • Uncategorized

Who Runs the Ransomware Group ‘The Gentlemen?’

June 10, 2026 0 0
A Record-Breaking Patch Tuesday for June 2026 2
  • Uncategorized

A Record-Breaking Patch Tuesday for June 2026

June 9, 2026 0 0
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts 3
  • Uncategorized

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

June 1, 2026 0 0
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks 4
  • Uncategorized

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

May 25, 2026 0 0
Lawmakers Demand Answers as CISA Tries to Contain Data Leak Lawmakers Demand Answers as CISA Tries to Contain Data Leak 5
  • Uncategorized

Lawmakers Demand Answers as CISA Tries to Contain Data Leak

May 22, 2026 0 0
Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada 6
  • Uncategorized

Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada

May 21, 2026 0 0
CISA Admin Leaked AWS GovCloud Keys on Github CISA Admin Leaked AWS GovCloud Keys on Github 7
  • Uncategorized

CISA Admin Leaked AWS GovCloud Keys on Github

May 18, 2026 0 0

You may have missed

Who Runs the Ransomware Group ‘The Gentlemen?’
  • Uncategorized

Who Runs the Ransomware Group ‘The Gentlemen?’

Sean June 10, 2026 0 0
  • Uncategorized

A Record-Breaking Patch Tuesday for June 2026

Sean June 9, 2026 0 0
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts
  • Uncategorized

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

Sean June 1, 2026 0 0
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks
  • Uncategorized

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

Sean May 25, 2026 0 0
Copyright © 2026 All rights reserved. | MoreNews by AF themes.