Multiple Critical vm2 Sandbox Escapes Enable Host RCE in Node.js Environments
The vm2 Node.js sandboxing library was hit by a wave of critical sandbox-escape vulnerabilities that let attackers executing untrusted JavaScript break out and run arbitrary commands on the host. Reported flaws include CVE-2026-24120, which bypasses an earlier Promise-species mitigation to reach the host Function constructor; CVE-2026-24118, which abuses __lookupGetter__, Buffer.apply, and prototype traversal; CVE-2026-24781, which leverages inspect proxy unwrapping; CVE-2026-26332, which pivots through SuppressedError; and CVE-2026-26956, which uses WebAssembly JSTag exception handling on Node.js 25+. Across the advisories, affected versions span the 3.10.x branch and earlier, with several issues requiring only the ability to submit code to a vm2 instance and no authentication or user interaction.
The project responded with security releases v3.10.5 and v3.11.0, with v3.11.0 closing 13 advisories including sandbox escapes, denial-of-service bugs, information disclosure, and prototype pollution. Maintainers also patched a separate NodeVM issue tracked as GHSA-m4wx-m65x-ghrr, where enabling nesting: true with omitted or falsy require settings could expose the vm2 package inside the sandbox and lead to host remote code execution. The releases added broader hardening measures such as bufferAllocLimit, stricter handling of dangerous built-ins, and filesystem checks, while maintainers warned that organizations using vm2 to run fully untrusted code should upgrade immediately and avoid treating in-process JavaScript sandboxing as a sole security boundary.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-47131 disclosed as vm2 sandbox escape
A sandbox escape vulnerability in vm2 was disclosed as CVE-2026-47131, affecting versions prior to 3.11.4. The flaw uses specific Buffer.call.call sequences and Node.js ERR_INVALID_ARG_TYPE handling to obtain the host TypeError constructor and achieve arbitrary code execution outside the sandbox.
vm2 version 3.11.4 patched Bridge Proxy set-trap flaw
vm2 patched CVE-2026-47209 in version 3.11.4, fixing a flaw in bridge.js where the BaseHandler.set trap ignored the receiver parameter and could write inherited property assignments onto host objects. The bug enabled host object property injection through the prototype chain, including dangerous cross-realm Symbol keys such as nodejs.util.promisify.custom.
GitHub advisory discloses NodeVM builtin denylist bypass in vm2
A GitHub security advisory described a vm2 NodeVM sandbox escape in which the dangerous builtin denylist omitted process and inspector/promises, allowing sandboxed code to regain host execution primitives and achieve host RCE in affected configurations. The advisory said the issue impacts deployments that allow those builtins or wildcard builtin access and recommended adding them to the dangerous builtin blocklist.
vm2 commit fixes Promise species hijack in localPromise
A vm2 security fix was committed to close GHSA-76w7-j9cq-rx2j, a sandbox escape caused by Promise species handling in localPromise that could expose an unbridged host RangeError and lead to host Function access and possible RCE. The patch resets Symbol.species before invoking the host Promise.then path so downstream promises stay wrapped and exceptions are bridged safely.
vm2 commit fixes NodeVM nesting bypass with falsy require options
A vm2 security fix was committed to close the NESTING_OVERRIDE resolver issue, preventing cases where nesting:true combined with omitted or falsy require settings could expose vm2 inside the sandbox and enable host RCE.
Public tracking issue opened for NetBox CVE-2026-29514
A public tracking issue for the NetBox Jinja2 sandbox bypass and RCE vulnerability was opened on May 4, 2026, following the earlier disclosure-process problems described in the report.
vm2 version 3.11.0 released to fix 13 advisories
vm2 released version 3.11.0 as a coordinated security update that closed 13 advisories, including multiple sandbox-escape RCE flaws, denial-of-service issues, information disclosure, and prototype pollution weaknesses. The release also added hardening features such as buffer allocation limits and stricter defaults for dangerous builtins.
Fastify fixed @fastify/middie auth bypass in version 9.3.2
The @fastify/middie plugin fixed CVE-2026-6270 in version 9.3.2, resolving a middleware path prefix propagation flaw that could leave child plugin routes unprotected despite parent-scope authentication middleware.
NetBox disclosure emails reportedly sent to vendor
According to the report on CVE-2026-29514, coordinated disclosure emails about the NetBox Jinja2 sandbox bypass were sent on March 10, 2026, but were reportedly lost during the disclosure process.
vm2 version 3.10.5 released with sandbox escape fixes
The vm2 project released version 3.10.5 with security hardening and fixes for multiple sandbox escape paths, including protections against access to dangerous code-execution primitives such as the Function constructor.
n8n fixed Git Node RCE in version 1.113.0
The n8n project fixed CVE-2025-62726 in version 1.113.0, addressing a flaw where cloning a malicious repository and later committing could execute attacker-controlled pre-commit hooks with n8n process privileges.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
18 references tracked. Mallory keeps watching after this page renders.
CVE-2026-47140 - vm2: NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
cvefeed.io
Open sourceCVE-2026-47209 - vm2: Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain
cvefeed.io
Open sourceCVE-2026-47135 - vm2: Sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks
cvefeed.io
Open sourceCVE-2026-47131 - vm2: Sandbox Escape
cvefeed.io
Open sourceRelease v3.11.0 · patriksimek/vm2 · GitHub
github.com
Open sourceBrief Summary: CVE-2026-6270 - @fastify/middie Authentication Bypass via Child Plugin Scope Inheritance Failure - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceRelease v3.10.5 · patriksimek/vm2 · GitHub
github.com
Open sourcen8n Git Node RCE (CVE-2025-62726): Brief Summary and Technical Review - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Critical vm2 Sandbox Escapes Enable Host RCE in Node.js
A wave of disclosures has exposed multiple critical flaws in the Node.js sandbox library **vm2**, showing that untrusted JavaScript can break out of the sandbox and execute commands on the host. GitHub advisories describe several distinct escape paths affecting versions as old as `3.9.6` and, in some cases, up to `3.11.3`, including a breakout through Node.js `inspect`, a Promise species bypass that defeats an earlier patch, prototype pollution through vm2’s bridge to host intrinsic prototypes, and a `NodeVM` misconfiguration path where `nesting: true` lets code bypass `require: false` and load `vm2` recursively to reach modules such as `child_process`. Public proof-of-concepts show attackers recovering the host `process` object and invoking host commands, turning vm2 from a containment boundary into a route to full host compromise. Additional reporting and upstream changes indicate the problems are broader than a single bug. Semgrep documented a new sandbox escape, while vm2 maintainers added regression tests covering descriptor- and prototype-traversal techniques used to recover host constructors such as `Function`, `AsyncFunction`, and `GeneratorFunction`, as well as callback sanitization bypasses tied to Promise handling. A later roundup described five critical vulnerabilities with no practical configuration-based workaround for deployments that execute untrusted code, and urged upgrades to **vm2 `3.11.4` or later**. The advisory backlog on the project’s GitHub page shows a concentrated set of newly published sandbox escape, builtin bypass, and host code execution issues, underscoring that organizations relying on vm2 for isolation should treat affected environments as potentially compromised.
May 25, 2026
Critical vm2 Sandbox Escapes Expose Node.js Hosts to Arbitrary Code Execution
Researchers disclosed a broad set of critical flaws in the `vm2` Node.js sandbox library that allow untrusted JavaScript to break isolation and execute arbitrary code on the host system. Reports describe 11 to 12 vulnerabilities affecting versions across the `3.9.6` to `3.11.1` range, with most rated `CVSS 9.8` to `10.0`, and impacting core protections such as built-in allowlists, object handling, prototype traversal, Promise species behavior, `util.inspect`, `Module._load()`, WebAssembly exception handling, and unsafe `nesting: true` configurations. One tracked issue, **CVE-2026-24118**, is a sandbox breakout through `__lookupGetter__` in versions prior to `3.11.0`, enabling host-level command execution with no privileges or user interaction. The disclosures reinforce long-running concerns that `vm2`'s JavaScript-only isolation model is not dependable for high-risk use cases such as multi-tenant code execution, plugin evaluation, automated grading, and serverless workloads. While some reports recommend upgrading to **vm2 `3.11.2`** for the latest protections, others note that **CVE-2026-44008** and **CVE-2026-44009** remain unpatched and argue that organizations handling untrusted code should consider stronger isolation boundaries such as containers or microVMs. Successful exploitation could expose environment variables, credentials, and files, and enable full compromise of the underlying Node.js host and potential lateral movement.
May 15, 2026
Critical vm2 Sandbox Escape via Promise Callback Sanitization Bypass
A **critical sandbox-escape vulnerability** in the popular Node.js sandbox library **vm2** allows attackers to bypass isolation and execute arbitrary code on the host. Tracked as **CVE-2026-22709** (CVSS v3.1 **9.8**, `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`), the issue stems from incomplete sanitization of `Promise.prototype.then`/`Promise.prototype.catch` callbacks in `lib/setup-sandbox.js`: **local** promise callbacks are sanitized, but **global** promise callbacks are not, and `async` functions return a `globalPromise` object that can be abused to reach unsanitized paths. Public technical details describe an exploitation chain where an attacker leverages the unsanitized global promise `catch` behavior to obtain an error object’s constructor, traverse the prototype chain to the **`Function` constructor**, and then execute code outside the sandbox (including loading Node modules such as `child_process` to run system commands). The vulnerability affects **vm2 versions prior to 3.10.2** (with some reporting noting exposure through **3.10.0 and below**), and **vm2 3.10.2** is identified as the fix; organizations running untrusted code via vm2 should prioritize upgrading and review any services that rely on vm2 for isolation.
Mar 21, 2026