What is CVE-2026-24118?

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and ...

How severe is CVE-2026-24118?

CVE-2026-24118 is rated critical severity with a CVSS score of 9.8 out of 10.

What products are affected by CVE-2026-24118?

CVE-2026-24118 affects Vm2 Project Vm2. Check vendor advisories for specific affected versions.

How do I fix CVE-2026-24118?

Apply the latest security patches from the vendor. If patching is not immediately possible, review the mitigation steps in this advisory and monitor for exploitation attempts.

VM2 sandbox breakout, host RCE (CVE-2026-24118)

Patch now - CVE-2026-24118 is a critical sandbox breakout in VM2 versions before 3.11.0 that grants unauthenticated remote code execution on the host system. Patched in version 3.11.0 - update immediately to prevent full host compromise.

Overview

CVE-2026-24118 is a CVSS 9.8 critical flaw in the VM2 sandbox library for Node.js. The vulnerability allows attackers to escape the JavaScript sandbox environment and execute arbitrary commands on the underlying host operating system. The attack requires no authentication, no user interaction, and can be triggered remotely over the network.

VM2 is widely used to run untrusted JavaScript code in isolated environments. This breakout completely defeats the sandbox’s security model, giving an attacker full control over the host where the VM2 instance runs.

Impact

An attacker exploiting CVE-2026-24118 can:

Execute arbitrary operating system commands on the host server
Read, modify, or delete any file accessible to the Node.js process
Install malware, backdoors, or cryptocurrency miners
Pivot to other internal systems from the compromised host

The severity is amplified by the low attack complexity and the fact that no authentication is needed to trigger the exploit. Any application or cloud service that uses VM2 to evaluate user-supplied JavaScript code is at immediate risk.

Remediation

The VM2 project has released version 3.11.0 which fully patches this vulnerability. Organizations should:

Update VM2 to version 3.11.0 or later in all applications
Audit all code paths where untrusted JavaScript is executed via VM2
Consider migrating to the maintained alternative, isolated-vm, as VM2 has been deprecated by its maintainers
Review cloud and CI/CD pipelines that embed VM2 for immediate patching

No workarounds exist - patching is the only effective mitigation. The vendor patch is available from the VM2 GitHub repository.

Security Insight

This vulnerability represents yet another sandbox escape in a JavaScript sandbox library, following a pattern of similar flaws in VM2 over the past two years. The repeated breakout vectors in VM2 highlight the fundamental difficulty of safely sandboxing JavaScript and suggest the library’s architecture may be inherently fragile. Organizations that rely on code sandboxing should evaluate alternative isolation techniques, including containerization with seccomp profiles or the maintained isolated-vm library. For ongoing coverage of code execution vulnerabilities and sandbox escapes, see our security news and breach reports sections.

VM2 sandbox breakout, host RCE (CVE-2026-24118)

Overview

Impact

Remediation

Security Insight

Further Reading

Never miss a critical vulnerability

Related Advisories

Other Vm2 Project Vm2 Vulnerabilities

Overview

Impact

Remediation

Security Insight

Further Reading

Never miss a critical vulnerability

Related Advisories

Other Vm2 Project Vm2 Vulnerabilities

Never Miss a Critical Alert