CVE-2026-24120
published 2026-05-04CVE-2026-24120: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.90%
55.0th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform | automation-portal | — | — |
| rhdh | rhdh-hub-rhel9 | — | — |
| vm2_project | vm2 | < 3.10.5 | 3.10.5 |
| vm2_project | vm2 | >= 0 < 3.10.5 | 3.10.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Target library is vm2 (Node.js sandbox); any process loading vm2 versions prior to 3.10.5 should be flagged as potentially vulnerable to sandbox escape and arbitrary command execution. ↗
- →This CVE is a bypass of the patch for CVE-2023-37466; detection logic or rules written for CVE-2023-37466 sandbox-escape patterns in vm2 may also be relevant here, as the attack vector is a circumvention of that prior fix. ↗
- →Monitor Node.js processes for unexpected child process spawning or shell execution originating from vm2-sandboxed code, which would indicate a successful sandbox escape. ↗
- ·The vulnerability only affects vm2 versions strictly prior to 3.10.5; version 3.10.5 contains the patch and is not vulnerable. ↗
- ·Red Hat products (including Red Hat Developer Hub and Ansible Automation Platform Self-service Portal 2) are confirmed not affected; no detection effort is needed in those specific configurations. ↗
- ·In Red Hat Developer Hub, vm2 is only a development dependency and the vulnerable code path is unreachable by an adversary, so runtime detections targeting that environment will produce false positives. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
VM2 Has Sandbox Breakout Through Promise Species
ghsa·2026-05-05
CVE-2026-24120 [CRITICAL] CWE-693 VM2 Has Sandbox Breakout Through Promise Species
VM2 Has Sandbox Breakout Through Promise Species
### Summary
The fix for https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.
### Details
The fix for https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 introduced the function `resetPromiseSpecies` https://github.com/patriksimek/vm2/blob/4b009c2d4b1131c01810c1205e641d614c322a29/lib/setup-sandbox.js#L35C7-L39.
This function changes the `species` property of promise objects back to a known value. However, it uses the function `[].includes` and `Object.defineProperty` which can be overewritten to prevent the species from being changed.
VulDB
patriksimek vm2 up to 3.10.4 protection mechanism (GHSA-qvjj-29qf-hp7p / WID-SEC-2026-1349)
vuldb·2026-05-04·CVSS 9.8
CVE-2026-24120 [CRITICAL] patriksimek vm2 up to 3.10.4 protection mechanism (GHSA-qvjj-29qf-hp7p / WID-SEC-2026-1349)
A vulnerability was found in patriksimek vm2 up to 3.10.4. It has been declared as critical. This issue affects some unknown processing. Executing a manipulation can lead to protection mechanism failure.
The identification of this vulnerability is CVE-2026-24120. The attack may be launched remotely. There is no exploit available.
It is recommended to upgrade the affected component.
Red Hat
vm2: vm2: Arbitrary code execution due to sandbox escape vulnerability
vendor_redhat·2026-05-04·CVSS 10.0
CVE-2026-24120 [CRITICAL] CWE-807 vm2: vm2: Arbitrary code execution due to sandbox escape vulnerability
vm2: vm2: Arbitrary code execution due to sandbox escape vulnerability
A flaw was found in vm2, an open-source sandbox for Node.js. This vulnerability allows a remote attacker to bypass existing security controls, specifically the fix for CVE-2023-37466. By circumventing the sandbox, an attacker can execute arbitrary commands on the host system, leading to a complete compromise of the affected system.
Statement: This Important flaw in vm2 allows for arbitrary code execution through a sandbox escape. Red Hat products are not affected by this vulnerability, as the component is either not present or the vulnerable code cannot be controlled by an adversary in Red Hat's supported configurations.
Red Hat Developer Hub is not affected by this vulnerability as the `vm2` package is a development
No detection rules found.
No public exploits indexed.
Hackernews
vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution
blogs_hackernews·2026-05-07·CVSS 10.0
CVE-2026-24118 [CRITICAL] vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution
A dozen critical security vulnerabilities have been disclosed in the vm2 Node.js library that could be exploited by bad actors to break out of the sandbox and execute arbitrary code on susceptible systems.
vm2 is an open-source library used to run untrusted JavaScript code inside a secure sandbox by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host environment.
The security flaws are listed below -
CVE-2026-24118 (CVSS score: 9.8) - A vulnerability that allows sandbox escape via "__lookupGette
Bugzilla
CVE-2026-24120 vm2: vm2: Arbitrary code execution due to sandbox escape vulnerability
bugzilla·2026-05-04·CVSS 10.0
CVE-2026-24120 [CRITICAL] CVE-2026-24120 vm2: vm2: Arbitrary code execution due to sandbox escape vulnerability
CVE-2026-24120 vm2: vm2: Arbitrary code execution due to sandbox escape vulnerability
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.
https://github.com/patriksimek/vm2/releases/tag/v3.10.5https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7phttps://access.redhat.com/security/cve/CVE-2026-24120https://bugzilla.redhat.com/show_bug.cgi?id=2466529https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7phttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-24120.json
2026-05-04
Published