Dozen critical vm2 flaws allow sandbox escape

On May 7, 2026, researchers and the vm2 maintainer disclosed twelve critical vulnerabilities in the vm2 Node.js sandbox library that can be used to escape the sandbox and execute arbitrary code on affected hosts. vm2 is an open-source library that runs untrusted JavaScript by intercepting and proxying objects to isolate code from the host environment.

The flaws involve object handlers, built-in allowlists and prototype handling. Specific vulnerabilities include CVE-2026-24118, which permits escape via __lookupGetter__, CVE-2026-24781 via the inspect function, CVE-2026-43997 and CVE-2026-44006 described as code-injection flaws that allow access to the host Object, and CVE-2026-43999 which bypasses NodeVM’s allowlist to load excluded built-ins such as child_process. CVE-2026-44005 enables prototype pollution from sandboxed scripts. Other defects exploit Promise species properties, SuppressedError objects, Symbol-to-string coercion that triggers TypeErrors, neutralizeArraySpeciesBatch(), and a null-proto exception. Many of the issues carry CVSS scores of 9.8 or 10.0.

Affected versions include releases up to 3.10.5 and earlier, with a subset affecting versions through 3.11.1. The project issued patches across 3.10.5, 3.11.0, 3.11.1 and 3.11.2. The maintainer recommends upgrading to 3.11.2 for the full set of fixes. The Symbol-to-string coercion issue was confirmed on Node.js 25.6.1. The disclosure follows an earlier fix for CVE-2026-22709.

Systems that use vm2 to run untrusted JavaScript are affected, including server-side tooling, plugin systems and environments that execute third-party scripts. Exploitation could allow an attacker to run operating system commands, load restricted Node.js built-ins or manipulate object prototypes to change host behavior.

Because many exploits leverage subtle JavaScript behaviors and internal object handling, patches require updating the vm2 library rather than only changing application configuration. Security teams are advised to locate where vm2 is used in production, apply the 3.11.2 update, and consider isolating processes that execute untrusted code or adding operating-system level containment while patches are deployed.

Maintainers and researchers noted that JavaScript’s dynamic object model and internal hooks have allowed repeated sandbox bypasses. Users are advised to monitor vm2 release notes and related advisories for any further updates.