CVE-2026-24781 – vm/sandbox for Node.js
“A broken sandbox turns trusted code isolation into full system exposure.”
The latest vm2 patch addresses multiple critical sandbox escape vulnerabilities that allow attackers to break out of the JavaScript sandbox and execute arbitrary code on the host system. The affected vulnerabilities include CVE-2026-24118, CVE-2026-24120, CVE-2023-37466, CVE-2026-24781, CVE-2026-26332, and CVE-2026-26956. These issues impact applications using vm2 to run untrusted code inside Node.js environments.
CVE-2026-24118 has a CVSS score of 9.8, which is Critical severity. Public proof-of-concept code is available.
CVE-2026-24120 has a CVSS score of 9.8, which is Critical severity. Public proof-of-concept code is available.
CVE-2023-37466 has a CVSS score of 9.8, which is Critical severity.
CVE-2026-24781 has a CVSS score of 9.8, which is Critical severity. Public proof-of-concept code is available.
CVE-2026-26332 has a CVSS score of 9.8, which is Critical severity. Public proof-of-concept code is available.
CVE-2026-26956 has a CVSS score of 9.8, which is Critical severity. Public proof-of-concept code is available.
The patch strengthens sandbox isolation controls and closes multiple paths that attackers could use to access host-level functionality. Systems relying on vm2 for tenant isolation, plugin execution, or automation workloads face elevated risk if these updates are not applied.
Key Details
- Affected Product
- Vm2 Project Vm2
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-94