cbcvebase.
CVE-2026-24120
published 2026-05-04

CVE-2026-24120: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.90%
55.0th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.

Affected

4 ranges
VendorProductVersion rangeFixed in
ansible-automation-platformautomation-portal
rhdhrhdh-hub-rhel9
vm2_projectvm2< 3.10.53.10.5
vm2_projectvm2>= 0 < 3.10.53.10.5

Detection & IOCsextracted from sources · hover to see the quote

  • Target library is vm2 (Node.js sandbox); any process loading vm2 versions prior to 3.10.5 should be flagged as potentially vulnerable to sandbox escape and arbitrary command execution.
  • This CVE is a bypass of the patch for CVE-2023-37466; detection logic or rules written for CVE-2023-37466 sandbox-escape patterns in vm2 may also be relevant here, as the attack vector is a circumvention of that prior fix.
  • Monitor Node.js processes for unexpected child process spawning or shell execution originating from vm2-sandboxed code, which would indicate a successful sandbox escape.
  • ·The vulnerability only affects vm2 versions strictly prior to 3.10.5; version 3.10.5 contains the patch and is not vulnerable.
  • ·Red Hat products (including Red Hat Developer Hub and Ansible Automation Platform Self-service Portal 2) are confirmed not affected; no detection effort is needed in those specific configurations.
  • ·In Red Hat Developer Hub, vm2 is only a development dependency and the vulnerable code path is unreachable by an adversary, so runtime detections targeting that environment will produce false positives.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.