CRITICAL🇵🇱 Wersja polska

CVE-2026-24120

CVSS 9.8v3.1pub. 2026-05-04upd. 2026-06-30

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.

🤖 AI Analysis
How it works

The vulnerability results from an insufficient fix introduced in response to CVE-2023-37466 — the protection mechanism can be bypassed through properly crafted JavaScript code. An attacker who can execute code in the context of the vm2 sandbox can construct a payload that enables escape from the isolated environment (CWE-94: code injection, CWE-693: insufficient protection mechanism). After escaping the sandbox, malicious code gains access to the host operating system and can execute arbitrary commands.

Impact

An attacker can completely break the sandbox isolation and execute arbitrary code on the host server, potentially leading to full system compromise, data theft, or further lateral movement in the network.

Mitigation & patch

Update the vm2 library to version 3.10.5 or later, where the vulnerability has been fixed. Details are available in the vendor references: https://github.com/patriksimek/vm2/releases/tag/v3.10.5

Who is affected

Vm2 Project vm2 in all versions prior to 3.10.5

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Vm2 Project Vm2

    APP
    Vm2 Project
    < 3.10.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-44005CRITICAL10.0PL ✓ten sam produkt

vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)

CVE-2026-44006CRITICAL10.0PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez BaseHandler.getPrototypeOf (RCE)

CVE-2026-43997CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandboxa w bibliotece vm2 dla Node.js (RCE)

CVE-2026-43999CRITICAL9.9PL ✓ten sam produkt

vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'

CVE-2026-44007CRITICAL9.1PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)