{"id":240859,"date":"2026-05-07T00:15:00","date_gmt":"2026-05-07T04:15:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/07\/vm2-node-js-library-vulnerabilities-enable-sandbox-escape-and-arbitrary-code-execution\/"},"modified":"2026-05-07T07:55:09","modified_gmt":"2026-05-07T11:55:09","slug":"vm2-node-js-library-vulnerabilities-enable-sandbox-escape-and-arbitrary-code-execution","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/07\/vm2-node-js-library-vulnerabilities-enable-sandbox-escape-and-arbitrary-code-execution\/","title":{"rendered":"vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/vm2-nodejs-library-vulnerabilities.html\">vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/vm2-nodejs-library-vulnerabilities.html\">https:\/\/thehackernews.com\/2026\/05\/vm2-nodejs-library-vulnerabilities.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-07 00:15:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">May 07, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Software Security<\/span><\/p>\n<p>A dozen critical security vulnerabilities have been disclosed in the vm2 Node.js library that could be exploited by bad actors to break out of the sandbox and execute arbitrary code on susceptible systems.<\/p>\n<p>vm2 is an open-source library used to run untrusted JavaScript code inside a secure sandbox by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host environment.<\/p>\n<p>The security flaws are listed below &#8211;<\/p>\n<ul>\n<li><strong>CVE-2026-24118<\/strong> (CVSS score: 9.8) &#8211; A vulnerability that allows sandbox escape via &#8220;__lookupGetter__&#8221; and permits an attacker to run arbitrary code on the underlying host. (Affects versions\n<\/li>\n<li><strong>CVE-2026-24120<\/strong> (CVSS score: 9.8) &#8211; A patch bypass for CVE-2023-37466 (CVSS score: 9.8) that could allow attackers to escape the sandbox through the species property of promise objects and execute arbitrary commands on the underlying host. (Affects versions\n<\/li>\n<li><strong>CVE-2026-24781<\/strong> (CVSS score: 9.8) &#8211; A vulnerability that allows sandbox escape via the &#8220;inspect&#8221; function and permits an attacker to run arbitrary code on the underlying host. (Affects versions\n<\/li>\n<li><strong>CVE-2026-26332<\/strong> (CVSS score: 9.8) &#8211; A vulnerability that allows sandbox escape via &#8220;SuppressedError&#8221; and permits an attacker to run arbitrary code on the underlying host. (Affects versions\n<\/li>\n<li><strong>CVE-2026-26956<\/strong> (CVSS score: 9.8) &#8211; A protection mechanism failure vulnerability that allows sandbox escape with arbitrary code execution by triggering a TypeError produced by Symbol-to-string coercion. (Affects version 3.10.4, confirmed on Node.js 25.6.1, patched in 3.10.5)<\/li>\n<li><strong>CVE-2026-43997<\/strong> (CVSS score: 10.0) &#8211; A code injection vulnerability that allows an attacker to obtain the host Object and escape the sandbox, leading to arbitrary code execution. (Affects versions\n<\/li>\n<li><strong>CVE-2026-43999<\/strong> (CVSS score: 9.9) &#8211; A vulnerability that allows a bypass of NodeVM&#8217;s built-in allowlist and enables an attacker to load excluded builtins like child_process and&#8230;<\/li>\n<\/ul>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/vm2-nodejs-library-vulnerabilities.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution https:\/\/thehackernews.com\/2026\/05\/vm2-nodejs-library-vulnerabilities.html Publish Date: 2026-05-07&#8230;<\/p>\n","protected":false},"author":1,"featured_media":240860,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhGJE3Tcr425AIfztOUrdhPUiEkVY8bMrHMmO-5FZ2N3cLaW9ErdLJJS3KwjzYNvLAIcVT7xpSw8wswiDIPenyZa_ki3ZrOHJFY-cXKHPu0EGnfCGXxkEAlvE6tLogT8T_lRolQ-qI-GFqlgwqpbLD1HfmDo4HkJbV9XNDh9rcGbM3Nc8ruu5I_47DBmzsy\/s1600\/vm2.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[27],"class_list":["post-240859","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240859"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=240859"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240859\/revisions"}],"predecessor-version":[{"id":240861,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240859\/revisions\/240861"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/240860"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=240859"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=240859"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=240859"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}