Multiple Critical vm2 Sandbox Escapes Enable Host RCE in Node.js
A wave of disclosures has exposed multiple critical flaws in the Node.js sandbox library vm2, showing that untrusted JavaScript can break out of the sandbox and execute commands on the host. GitHub advisories describe several distinct escape paths affecting versions as old as 3.9.6 and, in some cases, up to 3.11.3, including a breakout through Node.js inspect, a Promise species bypass that defeats an earlier patch, prototype pollution through vm2’s bridge to host intrinsic prototypes, and a NodeVM misconfiguration path where nesting: true lets code bypass require: false and load vm2 recursively to reach modules such as child_process. Public proof-of-concepts show attackers recovering the host process object and invoking host commands, turning vm2 from a containment boundary into a route to full host compromise.
Additional reporting and upstream changes indicate the problems are broader than a single bug. Semgrep documented a new sandbox escape, while vm2 maintainers added regression tests covering descriptor- and prototype-traversal techniques used to recover host constructors such as Function, AsyncFunction, and GeneratorFunction, as well as callback sanitization bypasses tied to Promise handling. A later roundup described five critical vulnerabilities with no practical configuration-based workaround for deployments that execute untrusted code, and urged upgrades to vm2 3.11.4 or later. The advisory backlog on the project’s GitHub page shows a concentrated set of newly published sandbox escape, builtin bypass, and host code execution issues, underscoring that organizations relying on vm2 for isolation should treat affected environments as potentially compromised.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Public reporting summarizes five critical vm2 flaws
Security Online reported that five critical vm2 vulnerabilities affecting versions up to 3.11.3 enable sandbox escape and host RCE, and said organizations should upgrade to vm2 3.11.4 or later because no configuration workaround exists for untrusted code execution.
vm2 publishes ATTACKS.md documenting sandbox escape techniques
The vm2 repository published an ATTACKS.md document cataloging known sandbox escape and breakout techniques affecting the project. The document consolidates technical details on attack chains and serves as project-maintained security documentation for vm2 users and researchers.
GitHub advisory listing shows concentrated vm2 disclosures
The vm2 security advisories page reflected a wave of newly published disclosures in May 2026, highlighting numerous sandbox escape, RCE, builtin bypass, and data leakage issues affecting the library.
GitHub publishes multiple vm2 security advisories
GitHub advisories were published for several vm2 vulnerabilities, including sandbox breakouts through inspect, Promise species handling, prototype pollution-based escapes, and `nesting: true` require bypasses. The advisories describe host command execution and sandbox compromise across affected vm2 versions.
vm2 adds regression tests for sandbox escape techniques
A vm2 commit added security regression tests covering multiple sandbox escape chains involving property descriptors, prototype traversal, host constructor recovery, and Promise callback sanitization bypass attempts.
Semgrep discloses new vm2 sandbox escape
Semgrep published research describing a new sandbox escape affecting the popular Node.js sandbox library vm2, marking public disclosure of a fresh breakout technique.
vm2 fixes CVE-2026-22709 in version 3.10.2
A GitHub Security Advisory published CVE-2026-22709, a critical vm2 sandbox escape caused by improper Promise callback sanitization that could lead to arbitrary code execution outside the sandbox. Maintainers fixed the issue in commit 4b009c2 by replacing Function.prototype.call with Reflect.apply and released vm2 version 3.10.2.
GitHub discloses Proxy-related vm2 sandbox escape
GitHub published a security advisory for a vm2 sandbox escape affecting versions through 3.9.17, caused by unexpected creation of a host object related to Proxy specification behavior. The issue could lead to host remote code execution, had a public proof of concept, and was fixed in vm2 3.9.18 with no workaround provided.
Nesting bypass persisted through vm2 refactor
The `nesting: true` require-bypass issue remained present after a vm2 refactor in commit `9e2b6051`, allowing the vulnerable behavior to continue in later versions.
vm2 nesting flaw introduced in legacy resolver path
A vm2 flaw that lets a NodeVM with `nesting: true` bypass `require: false` was introduced in commit `2353ce60`, which injected `NESTING_OVERRIDE` into the resolver path and exposed `vm2` inside the sandbox.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
16 references tracked. Mallory keeps watching after this page renders.
Five Critical vm2 Vulnerabilities Grant Instant Node.js Host RCE
securityonline.info
Open sourceSecurity Advisories · patriksimek/vm2 · GitHub
github.com
Open sourcevm2/docs/ATTACKS.md at main · patriksimek/vm2 · GitHub
github.com
Open sourceSandbox escape in vm2 · Advisory · patriksimek/vm2 · GitHub
github.com
Open sourceNew Sandbox Escape Affecting Popular nodejs Sandbox library vm2 | Semgrep
semgrep.dev
Open sourceCritical Sandbox Escape in vm2 Enables RCE | Blog | Endor Labs
endorlabs.com
Open sourceSandbox Escape · Advisory · patriksimek/vm2 · GitHub
github.com
Open sourceSandbox Escape in vm2@3.9.15 · GitHub
gist.github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Critical vm2 Sandbox Escapes Enable Host RCE in Node.js Environments
The `vm2` Node.js sandboxing library was hit by a wave of critical sandbox-escape vulnerabilities that let attackers executing untrusted JavaScript break out and run arbitrary commands on the host. Reported flaws include CVE-2026-24120, which bypasses an earlier Promise-species mitigation to reach the host `Function` constructor; CVE-2026-24118, which abuses `__lookupGetter__`, `Buffer.apply`, and prototype traversal; CVE-2026-24781, which leverages `inspect` proxy unwrapping; CVE-2026-26332, which pivots through `SuppressedError`; and CVE-2026-26956, which uses WebAssembly `JSTag` exception handling on Node.js 25+. Across the advisories, affected versions span the `3.10.x` branch and earlier, with several issues requiring only the ability to submit code to a vm2 instance and no authentication or user interaction. The project responded with security releases `v3.10.5` and `v3.11.0`, with `v3.11.0` closing 13 advisories including sandbox escapes, denial-of-service bugs, information disclosure, and prototype pollution. Maintainers also patched a separate `NodeVM` issue tracked as `GHSA-m4wx-m65x-ghrr`, where enabling `nesting: true` with omitted or falsy `require` settings could expose the `vm2` package inside the sandbox and lead to host remote code execution. The releases added broader hardening measures such as `bufferAllocLimit`, stricter handling of dangerous built-ins, and filesystem checks, while maintainers warned that organizations using vm2 to run fully untrusted code should upgrade immediately and avoid treating in-process JavaScript sandboxing as a sole security boundary.
Jun 12, 2026
Critical vm2 Sandbox Escapes Expose Node.js Hosts to Arbitrary Code Execution
Researchers disclosed a broad set of critical flaws in the `vm2` Node.js sandbox library that allow untrusted JavaScript to break isolation and execute arbitrary code on the host system. Reports describe 11 to 12 vulnerabilities affecting versions across the `3.9.6` to `3.11.1` range, with most rated `CVSS 9.8` to `10.0`, and impacting core protections such as built-in allowlists, object handling, prototype traversal, Promise species behavior, `util.inspect`, `Module._load()`, WebAssembly exception handling, and unsafe `nesting: true` configurations. One tracked issue, **CVE-2026-24118**, is a sandbox breakout through `__lookupGetter__` in versions prior to `3.11.0`, enabling host-level command execution with no privileges or user interaction. The disclosures reinforce long-running concerns that `vm2`'s JavaScript-only isolation model is not dependable for high-risk use cases such as multi-tenant code execution, plugin evaluation, automated grading, and serverless workloads. While some reports recommend upgrading to **vm2 `3.11.2`** for the latest protections, others note that **CVE-2026-44008** and **CVE-2026-44009** remain unpatched and argue that organizations handling untrusted code should consider stronger isolation boundaries such as containers or microVMs. Successful exploitation could expose environment variables, credentials, and files, and enable full compromise of the underlying Node.js host and potential lateral movement.
May 15, 2026
Critical vm2 Sandbox Escape via Promise Callback Sanitization Bypass
A **critical sandbox-escape vulnerability** in the popular Node.js sandbox library **vm2** allows attackers to bypass isolation and execute arbitrary code on the host. Tracked as **CVE-2026-22709** (CVSS v3.1 **9.8**, `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`), the issue stems from incomplete sanitization of `Promise.prototype.then`/`Promise.prototype.catch` callbacks in `lib/setup-sandbox.js`: **local** promise callbacks are sanitized, but **global** promise callbacks are not, and `async` functions return a `globalPromise` object that can be abused to reach unsanitized paths. Public technical details describe an exploitation chain where an attacker leverages the unsanitized global promise `catch` behavior to obtain an error object’s constructor, traverse the prototype chain to the **`Function` constructor**, and then execute code outside the sandbox (including loading Node modules such as `child_process` to run system commands). The vulnerability affects **vm2 versions prior to 3.10.2** (with some reporting noting exposure through **3.10.0 and below**), and **vm2 3.10.2** is identified as the fix; organizations running untrusted code via vm2 should prioritize upgrading and review any services that rely on vm2 for isolation.
Mar 21, 2026