Critical vm2 Node.js Flaws Allow Arbitrary Library Vulnerabilities
VM2 faces 11 critical vulnerabilities, placing countless dependent applications at risk of untrusted code execution. Affecting all versions up to 3.11.1, each flaw provides attackers with a clear...
VM2 faces 11 critical vulnerabilities, placing countless dependent applications at risk of untrusted code execution.
Affecting all versions up to 3.11.1, each flaw provides attackers with a clear path out of the sandbox and into the host system, with full command execution capabilities. Worse, two of the eleven remain completely unpatched.
vm2 is a Node.js npm package that executes untrusted JavaScript inside an isolated container, powering everything from code execution platforms and CI pipelines to plugin engines and multi-tenant cloud services.
Its entire security model rests on one promise: keep malicious code inside, keep the host safe. Researchers have now shredded that promise across eleven distinct techniques, exposing just how thin the walls of that container truly were.
The library’s core promise that code running inside a VM instance cannot reach the host system has been fundamentally broken by these disclosures, with all vulnerabilities enabling full remote code execution (RCE) on the underlying host.
vm2 Node.js Library Vulnerabilities
Among the most severe issues is CVE-2026-24118, which exploits __lookupGetter__ behavior to escape the sandbox. At the same time, CVE-2026-24120 bypasses Promise species protections to execute commands via child_process.execSync.
Another flaw, CVE-2026-24781, abuses Node.js’ util module. Inspect internals to expose raw host objects and bypass VM2’s proxy isolation layer.
Newer JavaScript features also introduced attack paths. CVE-2026-26332 leverages DisposableStack and SuppressedError mechanics in Node.js v24 to expose the host Function object.
CVE-2026-26956 targets Node.js v25 using a WebAssembly try_table instruction that bypasses vm2’s sanitization entirely. Researchers demonstrated full root-level code execution through this technique.
Additional vulnerabilities exploit prototype chains and module loading logic. CVE-2026-43997 and CVE-2026-44006 abuse util. Inspect and prototype traversal to achieve sandbox escapes.
CVE-2026-43999 bypasses vm2’s built-in module restrictions using Module._load(), even when child_process is explicitly blocked.
Prototype pollution also remains a serious concern. CVE-2026-44005 allows attackers to modify shared host prototypes, such as Object. prototype and Function. prototype, potentially impacting the entire Node.js process.
A dangerous configuration flaw tracked as GHSA-8hg8-63c5-gwmx revealed that enabling nesting: true effectively defeats require: false, allowing sandboxed code to create unrestricted inner VMs and achieve full RCE despite security restrictions.
Most concerning, two critical vulnerabilities, CVE-2026-44008 and CVE-2026-44009, remain unpatched in versions up to 3.11.1.
These flaws exploit how array species are handled and exception logic to expose host-side objects and regain unrestricted access to the host Function constructor.
| CVE ID | Affected Versions | Patched Version |
|---|---|---|
| CVE-2026-24118 | ≤ 3.10.4 | 3.11.0 |
| CVE-2026-24120 | ≤ 3.10.3 | 3.10.5 |
| CVE-2026-24781 | ≤ 3.10.3 | 3.11.0 |
| CVE-2026-26332 | ≤ 3.10.4 | 3.11.0 |
| CVE-2026-26956 | 3.10.4 | 3.10.5 |
| CVE-2026-43997 | ≤ 3.10.5 | 3.11.0 |
| CVE-2026-43999 | 3.10.5 | 3.11.0 |
| CVE-2026-44005 | 3.9.6–3.10.5 | 3.11.0 |
| CVE-2026-44006 | ≤ 3.10.5 | 3.11.0 |
| CVE-2026-44008 | ≤ 3.11.1 | No patch available |
| CVE-2026-44009 | ≤ 3.11.1 | No patch available |
| — | ≤ 3.11.0 | 3.11.1 |
According to reports published by patriksimek on GitHub, the eleven vulnerabilities highlight ongoing weaknesses in vm2’s sandbox security model, putting applications that execute untrusted code at significant risk.
Operators should immediately upgrade VM2 to version 3.11.1 to address all currently patched vulnerabilities.
For CVE-2026-44008 and CVE-2026-44009, no fix is available, and teams should consider disabling VM2-based sandboxing altogether, replacing it with kernel-level isolation technologies such as Docker, gVisor, or Firecracker microVMs.
Developers must avoid the nesting: true option and wildcard built-in configurations, such as ['*', '-child_process'], in any environment running untrusted code.
Given the sheer volume and diversity of these bypass techniques, spanning JavaScript prototype manipulation, WebAssembly exception handling, Promise species overwriting, and built-in module loading.
vm2’s JavaScript-only isolation model should be considered fundamentally insufficient for high-security use cases.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.