CVE-2026-24120
Published: 04 May 2026
Description
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the…
more
host system. This issue has been patched in version 3.10.5.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Implements a reliable, tamperproof protection mechanism whose completeness can be assured.
Procedures for training on protection mechanisms reduce the chance of protection mechanism failures being present or exploitable.
Documented procedures to implement assessment, authorization, and monitoring controls prevent these protection mechanisms from failing due to undefined processes.
Direct evaluation of whether controls produce desired security outcomes detects protection mechanism failures and enables remediation.
Requires assessment that protection mechanisms are correctly implemented and producing intended security outcomes.
The POA&M process ensures identified weaknesses in protection mechanisms are documented and scheduled for remediation, reducing the duration they remain exploitable.
Ongoing control assessments and analysis of monitoring data enable timely detection and response when protection mechanisms fail.
Impact analysis identifies changes that could weaken or disable existing protection mechanisms.
Security SummaryAI
CVE-2026-24120 affects vm2, an open-source virtual machine and sandbox for Node.js applications. In versions prior to 3.10.5, the patch for the prior vulnerability CVE-2023-37466 proves insufficient and can be bypassed. This allows attackers to craft code that escapes the VM2 sandbox confines, enabling execution of arbitrary commands directly on the host system. The issue is classified under CWE-94 (code injection) and CWE-693 (protection mechanism failure), with a CVSS v3.1 base score of 9.8.
Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, specifically by breaking out of the sandbox to run arbitrary host commands, potentially leading to full system compromise in environments relying on vm2 for code isolation.
The vm2 project has addressed this in version 3.10.5, as detailed in the release notes and GitHub security advisory GHSA-qvjj-29qf-hp7p. Security practitioners should prioritize upgrading affected Node.js applications using vm2 to at least version 3.10.5 to mitigate the sandbox escape risk.
Details
- CWE(s)