Critical vm2 Sandbox Escapes Expose Node.js Hosts to Arbitrary Code Execution
Researchers disclosed a broad set of critical flaws in the vm2 Node.js sandbox library that allow untrusted JavaScript to break isolation and execute arbitrary code on the host system. Reports describe 11 to 12 vulnerabilities affecting versions across the 3.9.6 to 3.11.1 range, with most rated CVSS 9.8 to 10.0, and impacting core protections such as built-in allowlists, object handling, prototype traversal, Promise species behavior, util.inspect, Module._load(), WebAssembly exception handling, and unsafe nesting: true configurations. One tracked issue, CVE-2026-24118, is a sandbox breakout through __lookupGetter__ in versions prior to 3.11.0, enabling host-level command execution with no privileges or user interaction.
The disclosures reinforce long-running concerns that vm2's JavaScript-only isolation model is not dependable for high-risk use cases such as multi-tenant code execution, plugin evaluation, automated grading, and serverless workloads. While some reports recommend upgrading to vm2 3.11.2 for the latest protections, others note that CVE-2026-44008 and CVE-2026-44009 remain unpatched and argue that organizations handling untrusted code should consider stronger isolation boundaries such as containers or microVMs. Successful exploitation could expose environment variables, credentials, and files, and enable full compromise of the underlying Node.js host and potential lateral movement.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-45411 disclosed in vm2 async generator sandbox escape
A new vm2 sandbox escape vulnerability, CVE-2026-45411, was documented involving async generator delegation and V8’s native handling of thenables during abrupt completion. The issue reportedly bypasses vm2’s JavaScript exception instrumentation and Promise.then sanitization, enabling remote code execution from the sandbox.
Users advised to upgrade to vm2 3.11.2 amid latest disclosures
Following the latest disclosures, users were advised to upgrade to vm2 3.11.2 for the best available protection. One report also noted that two vulnerabilities, CVE-2026-44008 and CVE-2026-44009, remained unpatched in the parallel disclosure set, underscoring ongoing risk in vm2's isolation model.
Researchers disclose broad set of critical vm2 sandbox escape flaws
Researchers disclosed a large batch of critical vulnerabilities in vm2 affecting versions through 3.11.1, with reports citing 11 to 12 flaws that enable sandbox escape and arbitrary code execution on the host. The issues impacted core sandbox protections, object handling, allowlists, and multiple escape vectors including __lookupGetter__, inspect-related behavior, prototype traversal, and Promise species handling.
GitHub Security Advisory receives CVE-2026-24118
GitHub Security Advisories newly received CVE-2026-24118 on May 4, 2026, documenting the vm2 sandbox escape as a critical issue with CVSS 9.8. The advisory tied the flaw to sandbox breakout via __lookupGetter__ and referenced the corresponding fix.
vm2 patches CVE-2026-24118 in version 3.11.0
A critical sandbox breakout vulnerability, CVE-2026-24118, affecting vm2 versions prior to 3.11.0 was fixed in vm2 version 3.11.0. The flaw allowed attackers to escape the Node.js sandbox and execute arbitrary commands on the host system.
GitHub advisory discloses vm2 null-prototype exception sandbox escape
A GitHub security advisory disclosed a vm2 sandbox breakout affecting versions up to and including 3.11.1. The advisory said exception handling in handleException could let attackers access the host Function object and achieve host command execution, and included a proof of concept.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
13 references tracked. Mallory keeps watching after this page renders.
CVE-2026-45411: CVE-2026-45411: Remote Code Execution via Sandbox Escape in vm2 Async Generator Implementation | CVEReports
cvereports.com
Open sourceWarning: Full sandbox escape in NodeJS Sandbox vm2, Patch Immediately! | CCB Belgium
ccb.belgium.be
Open sourceGHSA-2CM2-M3W5-GP2F: GHSA-2CM2-M3W5-GP2F: Remote Code Execution via Transformer Bypass in vm2 | CVEReports
cvereports.com
Open sourceVM2 Node.js Library security advisory (AV26-432) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceSandbox breakout via `neutralizeArraySpeciesBatch` · Advisory · patriksimek/vm2 · GitHub
github.com
Open sourceSandbox Breakout Through Null Proto Exception · Advisory · patriksimek/vm2 · GitHub
github.com
Open sourceSandbox Escape · Advisory · patriksimek/vm2 · GitHub
github.com
Open sourceWASM Sandbox Escape · Advisory · patriksimek/vm2 · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Critical vm2 Sandbox Escapes Enable Host RCE in Node.js
A wave of disclosures has exposed multiple critical flaws in the Node.js sandbox library **vm2**, showing that untrusted JavaScript can break out of the sandbox and execute commands on the host. GitHub advisories describe several distinct escape paths affecting versions as old as `3.9.6` and, in some cases, up to `3.11.3`, including a breakout through Node.js `inspect`, a Promise species bypass that defeats an earlier patch, prototype pollution through vm2’s bridge to host intrinsic prototypes, and a `NodeVM` misconfiguration path where `nesting: true` lets code bypass `require: false` and load `vm2` recursively to reach modules such as `child_process`. Public proof-of-concepts show attackers recovering the host `process` object and invoking host commands, turning vm2 from a containment boundary into a route to full host compromise. Additional reporting and upstream changes indicate the problems are broader than a single bug. Semgrep documented a new sandbox escape, while vm2 maintainers added regression tests covering descriptor- and prototype-traversal techniques used to recover host constructors such as `Function`, `AsyncFunction`, and `GeneratorFunction`, as well as callback sanitization bypasses tied to Promise handling. A later roundup described five critical vulnerabilities with no practical configuration-based workaround for deployments that execute untrusted code, and urged upgrades to **vm2 `3.11.4` or later**. The advisory backlog on the project’s GitHub page shows a concentrated set of newly published sandbox escape, builtin bypass, and host code execution issues, underscoring that organizations relying on vm2 for isolation should treat affected environments as potentially compromised.
May 25, 2026
Multiple Critical vm2 Sandbox Escapes Enable Host RCE in Node.js Environments
The `vm2` Node.js sandboxing library was hit by a wave of critical sandbox-escape vulnerabilities that let attackers executing untrusted JavaScript break out and run arbitrary commands on the host. Reported flaws include CVE-2026-24120, which bypasses an earlier Promise-species mitigation to reach the host `Function` constructor; CVE-2026-24118, which abuses `__lookupGetter__`, `Buffer.apply`, and prototype traversal; CVE-2026-24781, which leverages `inspect` proxy unwrapping; CVE-2026-26332, which pivots through `SuppressedError`; and CVE-2026-26956, which uses WebAssembly `JSTag` exception handling on Node.js 25+. Across the advisories, affected versions span the `3.10.x` branch and earlier, with several issues requiring only the ability to submit code to a vm2 instance and no authentication or user interaction. The project responded with security releases `v3.10.5` and `v3.11.0`, with `v3.11.0` closing 13 advisories including sandbox escapes, denial-of-service bugs, information disclosure, and prototype pollution. Maintainers also patched a separate `NodeVM` issue tracked as `GHSA-m4wx-m65x-ghrr`, where enabling `nesting: true` with omitted or falsy `require` settings could expose the `vm2` package inside the sandbox and lead to host remote code execution. The releases added broader hardening measures such as `bufferAllocLimit`, stricter handling of dangerous built-ins, and filesystem checks, while maintainers warned that organizations using vm2 to run fully untrusted code should upgrade immediately and avoid treating in-process JavaScript sandboxing as a sole security boundary.
Jun 12, 2026
Critical vm2 Sandbox Escape via Promise Callback Sanitization Bypass
A **critical sandbox-escape vulnerability** in the popular Node.js sandbox library **vm2** allows attackers to bypass isolation and execute arbitrary code on the host. Tracked as **CVE-2026-22709** (CVSS v3.1 **9.8**, `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`), the issue stems from incomplete sanitization of `Promise.prototype.then`/`Promise.prototype.catch` callbacks in `lib/setup-sandbox.js`: **local** promise callbacks are sanitized, but **global** promise callbacks are not, and `async` functions return a `globalPromise` object that can be abused to reach unsanitized paths. Public technical details describe an exploitation chain where an attacker leverages the unsanitized global promise `catch` behavior to obtain an error object’s constructor, traverse the prototype chain to the **`Function` constructor**, and then execute code outside the sandbox (including loading Node modules such as `child_process` to run system commands). The vulnerability affects **vm2 versions prior to 3.10.2** (with some reporting noting exposure through **3.10.0 and below**), and **vm2 3.10.2** is identified as the fix; organizations running untrusted code via vm2 should prioritize upgrading and review any services that rely on vm2 for isolation.
Mar 21, 2026