CRITICAL🇵🇱 Wersja polska

CVE-2026-24781

CVSS 9.8v3.1pub. 2026-05-04upd. 2026-06-30

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.

🤖 AI Analysis
How it works

The vulnerability stems from improper implementation of the inspect mechanism in vm2, which does not provide adequate isolation (CWE-94: code injection, CWE-693: insufficient protection of mechanism). An attacker can craft code executed inside the vm2 sandbox that escapes its boundaries through the inspect function. After breaking out of the sandbox, arbitrary commands can be executed directly on the host operating system.

Impact

The attacker gains full control over the host system — can read, modify and delete files, execute arbitrary system commands, and potentially take control of the entire infrastructure. The vulnerability leads to complete breach of system confidentiality, integrity, and availability.

Mitigation & patch

The vm2 library should be updated to version 3.11.0, where the vulnerability has been fixed. The update is available in the project's GitHub repository and in the npm registry.

Who is affected

Vm2 Project vm2 in all versions preceding 3.11.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Vm2 Project Vm2

    APP
    Vm2 Project
    < 3.11.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-44005CRITICAL10.0PL ✓ten sam produkt

vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)

CVE-2026-44006CRITICAL10.0PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez BaseHandler.getPrototypeOf (RCE)

CVE-2026-43997CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandboxa w bibliotece vm2 dla Node.js (RCE)

CVE-2026-43999CRITICAL9.9PL ✓ten sam produkt

vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'

CVE-2026-44007CRITICAL9.1PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)