The popular Node.js library, vm2, has been found to have 11 critical vulnerabilities that threaten the integrity of applications dependent on it. These vulnerabilities grant attackers the ability to execute untrusted code, posing serious risks to systems.
Impact of the Vulnerabilities
All versions of vm2 up to 3.11.1 are affected, allowing attackers to break out of the sandbox environment and execute commands on the host system. Alarmingly, two of these vulnerabilities remain without patches, leaving systems vulnerable to remote code execution.
Vm2 is a Node.js package designed to execute untrusted JavaScript in a confined setting. Its usage spans various platforms, including code execution environments, continuous integration pipelines, and multi-tenant cloud services.
The core security model of vm2 is its ability to contain malicious code, protecting the host system. However, researchers have unveiled flaws in this model through eleven different techniques, revealing significant security weaknesses.
Details of Severe Vulnerabilities
Among the most critical issues is CVE-2026-24118, exploiting the __lookupGetter__ to escape the sandbox. Another, CVE-2026-24120, circumvents Promise species protections, enabling command execution via child_process.execSync.
Additionally, CVE-2026-24781 manipulates Node.js’ util module to access host objects, bypassing vm2’s proxy defenses. Meanwhile, CVE-2026-26332 and CVE-2026-26956 utilize new JavaScript features to expose vulnerabilities in vm2’s isolation layers.
Other flaws, such as CVE-2026-43997 and CVE-2026-44006, exploit prototype chains to breach sandbox security. CVE-2026-43999 leverages module loading logic to bypass restrictions, while CVE-2026-44005 demonstrates prototype pollution risks.
Recommendations for Mitigation
To address these vulnerabilities, it is crucial for operators to update vm2 to version 3.11.1. This update resolves the patched vulnerabilities, providing enhanced security for affected systems.
However, for the unpatched vulnerabilities, CVE-2026-44008 and CVE-2026-44009, a more cautious approach is advised. Teams should consider alternative sandboxing solutions, such as Docker or gVisor, which offer kernel-level isolation.
Developers are also advised to avoid certain configurations, including the nesting: true option and wildcard module inclusions, to minimize security risks.
The extensive range of these vulnerabilities highlights the limitations of vm2’s JavaScript-only isolation model for high-security applications. Organizations should reassess their use of vm2 in critical environments.
For ongoing updates in cybersecurity, follow us on Google News, LinkedIn, and X. Reach out to have your stories featured with us.
