CVE-2023-37466
published 2026-05-04CVE-2023-37466: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to…
PriorityP271critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
2.34%
81.5th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform | automation-portal | — | — |
| hoppscotch | cli | >= 0.5.0 < 0.8.0 | 0.8.0 |
| patriksimek | vm2 | < 3.10.5 | 3.10.5 |
| rhdh | rhdh-hub-rhel9 | — | — |
| vm2_project | vm2 | < 3.10.5 | 3.10.5 |
| vm2_project | vm2 | <= 3.9.19 | — |
| vm2_project | vm2 | >= 0 < 3.10.0 | 3.10.0 |
| vm2_project | vm2 | 0 – 3.9.19 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect sandbox escape via Proxy getPrototypeOf trap triggering recursive stack overflow — attacker constructs a Proxy with a getPrototypeOf handler that calls a recursive stack() function, then catches the resulting error to extract the Function constructor and escape the vm2 sandbox. ↗
- →Alert on vm2 versions <= 3.9.19 in Node.js environments — these versions are confirmed vulnerable to the sandbox escape leading to arbitrary/remote code execution. ↗
- →Monitor for child_process.execSync calls originating from within a vm2 sandbox context — the exploit payload uses mainModule.require('child_process') followed by execSync to run OS commands on the host. ↗
- ·The fix introduced in vm2 v3.10.0 for CVE-2023-37466 is itself insufficient and bypassable — only v3.10.5 fully addresses the sandbox escape chain. ↗
- ·The vm2 project has been discontinued and should not be used in production regardless of patching status. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
ghsa10.0CRITICAL
osv10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
vm2: vm2: Arbitrary code execution due to sandbox escape vulnerability
vendor_redhat·2026-05-04·CVSS 10.0
CVE-2026-24120 [CRITICAL] CWE-807 vm2: vm2: Arbitrary code execution due to sandbox escape vulnerability
vm2: vm2: Arbitrary code execution due to sandbox escape vulnerability
A flaw was found in vm2, an open-source sandbox for Node.js. This vulnerability allows a remote attacker to bypass existing security controls, specifically the fix for CVE-2023-37466. By circumventing the sandbox, an attacker can execute arbitrary commands on the host system, leading to a complete compromise of the affected system.
Statement: This Important flaw in vm2 allows for arbitrary code execution through a sandbox escape. Red Hat products are not affected by this vulnerability, as the component is either not present or the vulnerable code cannot be controlled by an adversary in Red Hat's supported configurations.
Red Hat Developer Hub is not affected by this vulnerability as the `vm2` package is a development
Red Hat
vm2: Promise handler sanitization can be bypassed allowing attackers to escape the sandbox and run arbitrary code
vendor_redhat·2023-07-17·CVSS 9.8
CVE-2023-37466 [CRITICAL] CWE-78 vm2: Promise handler sanitization can be bypassed allowing attackers to escape the sandbox and run arbitrary code
vm2: Promise handler sanitization can be bypassed allowing attackers to escape the sandbox and run arbitrary code
vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox. Version 3.10.0 contains a patch for the issue.
A flaw was found in the vm2 Promise handler sanitization, which allows attackers to escape the sandbox. This flaw allows attackers to run arbitrary code.
Mitigation: Mitigation for this issue
GHSA
@hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE
ghsa·2024-04-22
CVE-2024-34347 [HIGH] CWE-77 @hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE
@hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE
### Observations
The Hoppscotch desktop app takes multiple precautions to be secure against arbitrary JavaScript and system command execution. It does not render user-controlled HTML or Markdown, uses Tauri instead of Electron, and sandboxes pre-request scripts with a simple yet secure implementation using web workers.
Unfortunately, web workers are not available in a pure Node.js application like Hoppscotch CLI. That is why the [@hoppscotch/js-sandbox](https://github.com/hoppscotch/hoppscotch/tree/main/packages/hoppscotch-js-sandbox) package also provides a Javascript sandbox that uses the Node.js `vm` module. However, the `vm` module is not safe for sandboxing untrusted Javascript code, as stated [in the
OSV
@hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE
osv·2024-04-22
CVE-2024-34347 [HIGH] @hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE
@hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE
### Observations
The Hoppscotch desktop app takes multiple precautions to be secure against arbitrary JavaScript and system command execution. It does not render user-controlled HTML or Markdown, uses Tauri instead of Electron, and sandboxes pre-request scripts with a simple yet secure implementation using web workers.
Unfortunately, web workers are not available in a pure Node.js application like Hoppscotch CLI. That is why the [@hoppscotch/js-sandbox](https://github.com/hoppscotch/hoppscotch/tree/main/packages/hoppscotch-js-sandbox) package also provides a Javascript sandbox that uses the Node.js `vm` module. However, the `vm` module is not safe for sandboxing untrusted Javascript code, as stated [in the
GHSA
vm2 Sandbox Escape vulnerability
ghsa·2023-07-13
CVE-2023-37466 [CRITICAL] CWE-94 vm2 Sandbox Escape vulnerability
vm2 Sandbox Escape vulnerability
In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code.
### Impact
Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.
### Patches
None.
### Workarounds
None.
### References
PoC - https://gist.github.com/leesh3288/f693061e6523c97274ad5298eb2c74e9
### For more information
If you have any questions or comments about this advisory:
- Open an issue in [VM2](https://github.com/patriksimek/vm2)
Thanks to [Xion](https://twitter.com/0x10n) (SeungHyun Lee) of [KAIST Hacking Lab](https://kaist-hacking.github.io/) for disclosing this vulnerability.
GHSA
vm2 Sandbox Escape vulnerability
ghsa·2023-07-13·CVSS 10.0
CVE-2023-37903 [CRITICAL] CWE-78 vm2 Sandbox Escape vulnerability
vm2 Sandbox Escape vulnerability
In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code.
### Impact
Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.
### Patches
None.
### Workarounds
None.
### References
PoC is to be disclosed on or after the 5th of September.
### Similarity with [CVE-2023-37466](https://nvd.nist.gov/vuln/detail/CVE-2023-37466)
While this advisory might look similar to [CVE-2023-37466](https://nvd.nist.gov/vuln/detail/CVE-2023-37466), it is a completely different way of escaping the sandbox.
### For more information
If you have any questions or comments about this advisory:
- Open an issue in [VM2](https://github.com/patriks
OSV
vm2 Sandbox Escape vulnerability
osv·2023-07-13·CVSS 10.0
CVE-2023-37903 [CRITICAL] vm2 Sandbox Escape vulnerability
vm2 Sandbox Escape vulnerability
In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code.
### Impact
Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.
### Patches
None.
### Workarounds
None.
### References
PoC is to be disclosed on or after the 5th of September.
### Similarity with [CVE-2023-37466](https://nvd.nist.gov/vuln/detail/CVE-2023-37466)
While this advisory might look similar to [CVE-2023-37466](https://nvd.nist.gov/vuln/detail/CVE-2023-37466), it is a completely different way of escaping the sandbox.
### For more information
If you have any questions or comments about this advisory:
- Open an issue in [VM2](https://github.com/patriks
OSV
vm2 Sandbox Escape vulnerability
osv·2023-07-13
CVE-2023-37466 [CRITICAL] vm2 Sandbox Escape vulnerability
vm2 Sandbox Escape vulnerability
In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code.
### Impact
Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.
### Patches
None.
### Workarounds
None.
### References
PoC - https://gist.github.com/leesh3288/f693061e6523c97274ad5298eb2c74e9
### For more information
If you have any questions or comments about this advisory:
- Open an issue in [VM2](https://github.com/patriksimek/vm2)
Thanks to [Xion](https://twitter.com/0x10n) (SeungHyun Lee) of [KAIST Hacking Lab](https://kaist-hacking.github.io/) for disclosing this vulnerability.
No detection rules found.
Hackernews
vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution
blogs_hackernews·2026-05-07·CVSS 10.0
CVE-2026-24118 [CRITICAL] vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution
A dozen critical security vulnerabilities have been disclosed in the vm2 Node.js library that could be exploited by bad actors to break out of the sandbox and execute arbitrary code on susceptible systems.
vm2 is an open-source library used to run untrusted JavaScript code inside a secure sandbox by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host environment.
The security flaws are listed below -
CVE-2026-24118 (CVSS score: 9.8) - A vulnerability that allows sandbox escape via "__lookupGette
Bugzilla
CVE-2026-24120 vm2: vm2: Arbitrary code execution due to sandbox escape vulnerability
bugzilla·2026-05-04·CVSS 10.0
CVE-2026-24120 [CRITICAL] CVE-2026-24120 vm2: vm2: Arbitrary code execution due to sandbox escape vulnerability
CVE-2026-24120 vm2: vm2: Arbitrary code execution due to sandbox escape vulnerability
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.
https://github.com/patriksimek/vm2/releases/tag/v3.10.5https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7phttps://access.redhat.com/security/cve/CVE-2026-24120https://bugzilla.redhat.com/show_bug.cgi?id=2466529https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7phttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-24120.json
2026-05-04
Published