A dozen critical vulnerabilities have been disclosed in the vm2 Node.js library on May 7, 2026, including multiple flaws that can let attackers escape the sandbox and run arbitrary code on the host system.
KEY FACTS
- Scope The flaws affect vm2 versions ranging from 3.9.6 through 3.11.1, depending on the issue.
- Severity Several of the vulnerabilities carry CVSS scores of 9.8 or 10.0.
- Impact The bugs can enable sandbox escape, remote code execution, prototype pollution and loading of restricted builtins.
- Fixes Patches are available in versions 3.10.5, 3.11.0, 3.11.1 and 3.11.2.
vm2 is an open-source library used to run untrusted JavaScript in a sandbox by intercepting and proxying objects to keep code from reaching the host environment. The disclosure covers issues tracked as CVE-2026-24118, CVE-2026-24120, CVE-2026-24781, CVE-2026-26332, CVE-2026-26956, CVE-2026-43997, CVE-2026-43999, CVE-2026-44005, CVE-2026-44006, CVE-2026-44007, CVE-2026-44008 and CVE-2026-44009.
The advisory says some of the flaws can be triggered through mechanisms including __lookupGetter__, promise species handling, inspect functions, SuppressedError, Symbol-to-string coercion, BaseHandler.getPrototypeOf and null prototype exceptions. One issue also bypasses NodeVM’s built-in allowlist and can expose excluded builtins such as child_process.
The report says another flaw can allow attacker-controlled JavaScript to escape the sandbox and pollute prototypes. Most of the vulnerabilities affect versions up to 3.10.5 or 3.11.1, with fixes spread across releases up to 3.11.2.
The disclosure follows a separate critical vm2 sandbox escape patched earlier in the year. The maintainer has said new bypasses are likely to keep appearing, underscoring the difficulty of safely isolating untrusted code in JavaScript sandbox environments.
WHY IT MATTERS
Organizations that rely on vm2 to contain untrusted code face a risk of full host compromise if exposed versions remain unpatched. Updating to the latest release, version 3.11.2, is the most direct step available based on the disclosure.