CRITICAL🇵🇱 Wersja polska

CVE-2026-24118

CVSS 9.8v3.1pub. 2026-05-04upd. 2026-06-30

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.

🤖 AI Analysis
How it works

The vulnerability (CWE-94, CWE-693) consists of the fact that the vm2 sandbox protection mechanisms can be bypassed by specially crafted code executed inside the virtual machine. Malicious code is able to break out of the isolation boundaries and gain access to the Node.js host environment. After escaping the sandbox, it is possible to execute arbitrary system commands in the context of the vm2 hosting process.

Impact

An attacker can execute arbitrary code on the host system, leading to complete compromise of confidentiality, integrity, and availability of the system — including server takeover, data theft, and malware installation.

Mitigation & patch

Update the vm2 library to version 3.11.0, in which the issue was fixed. Patches are available in the project's GitHub repository (commits: 2b5f3e3 and f9b700b1).

Who is affected

Vm2 Project vm2 — all versions before 3.11.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Vm2 Project Vm2

    APP
    Vm2 Project
    < 3.11.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-44005CRITICAL10.0PL ✓ten sam produkt

vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)

CVE-2026-44006CRITICAL10.0PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez BaseHandler.getPrototypeOf (RCE)

CVE-2026-43997CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandboxa w bibliotece vm2 dla Node.js (RCE)

CVE-2026-43999CRITICAL9.9PL ✓ten sam produkt

vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'

CVE-2026-44007CRITICAL9.1PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)