vm2 Node.js Sandbox Flaws Enable Escape and Arbitrary Code Execution on Host Systems
The danger in vm2 is not just another vulnerable dependency. It is a failure mode at the exact point where applications expect isolation to hold.
A dozen newly disclosed vulnerabilities in the vm2 Node.js library can allow attacker-controlled JavaScript to escape the sandbox and execute arbitrary code on the underlying host. For any product that uses vm2 to run plugins, user-submitted scripts, templates, automation logic, or code challenges, the impact can shift quickly from “sandboxed input” to host compromise.
What Happened
Security advisories published for vm2 in early May 2026 detail 12 vulnerabilities with CVSS scores reaching 10.0. The flaws affect multiple vm2 versions, including releases up to 3.11.1, with fixes landing across 3.10.5, 3.11.0, 3.11.1, and the latest 3.11.2 release.
The vulnerabilities include sandbox escapes through JavaScript internals such as __lookupGetter__, Promise species behavior, object prototype handling, inspection functions, null-prototype exceptions, and bridge behavior between the sandbox and host contexts.
Several of the advisories describe the same operational end state: an attacker who can run arbitrary JavaScript inside a vm2 sandbox may be able to break out and execute commands on the host system.
The Most Serious Vulnerabilities
The disclosed set includes several critical flaws defenders should prioritize. CVE-2026-43997 carries a CVSS score of 10.0 and allows attackers to obtain the host Object, escape the sandbox, and reach remote code execution conditions.
CVE-2026-44006, also scored 10.0, involves code injection through BaseHandler.getPrototypeOf, enabling sandbox escape and remote code execution in affected versions up to 3.10.5.
CVE-2026-44005, another CVSS 10.0 issue, enables attacker-controlled JavaScript to escape the sandbox and trigger prototype pollution. That combination is especially dangerous in Node.js environments because prototype manipulation can become a bridge from logic corruption into code execution.
Other critical vulnerabilities include CVE-2026-24118, CVE-2026-24120, CVE-2026-24781, CVE-2026-26332, CVE-2026-26956, CVE-2026-44008, and CVE-2026-44009, each tied to sandbox escape or arbitrary command execution scenarios.
Why This Stands Out
vm2 is not a utility package sitting far from sensitive execution paths. It exists specifically to run untrusted JavaScript in a restricted environment. When that restriction fails, the affected application may hand an attacker a direct path from controlled script input to host-level execution.
The project’s own documentation describes vm2 as a sandbox for Node.js that intercepts and proxies JavaScript objects to prevent sandboxed code from accessing the host environment. That design goal is precisely why these vulnerabilities matter: they target the boundary vm2 is meant to enforce.
The recurring pattern is also important. The latest disclosures follow earlier critical vm2 sandbox escapes, including CVE-2026-22709, where Promise callback sanitization could be bypassed to escape the sandbox and run arbitrary code. This is not a single missed check. It is a repeated contest between JavaScript’s dynamic object model and attempts to safely virtualize it inside the same runtime.
Why Defenders Should Care
The most exposed systems are those that treat vm2 as a security control rather than a convenience layer. That includes developer tooling, online code execution services, workflow automation platforms, internal scripting engines, low-code products, capture-the-flag platforms, plugin systems, and SaaS features that let customers submit JavaScript-like logic.
The key question for defenders is simple: can an external user, tenant, customer, plugin author, or compromised account influence code that is evaluated inside vm2? If the answer is yes, this becomes a potentially serious remote code execution risk.
Updating to vm2 3.11.2 is the immediate action, but it should not be treated as the entire fix. Security teams should identify where vm2 is present, determine whether it is reachable from untrusted input, review container and process isolation around those workloads, and inspect logs for suspicious child process execution, unexpected file writes, outbound network activity, or sandbox error chains that preceded system commands.
The Bigger Picture
The vm2 disclosures expose a larger problem in server-side JavaScript security: “sandboxed” does not automatically mean isolated in the way defenders expect. A library-level sandbox running inside the same runtime is not the same as a hardened process, container, microVM, or operating-system-enforced security boundary.
That distinction matters operationally. If untrusted code can touch complex host objects, cross-context prototypes, async behavior, inspection hooks, species constructors, or error handling machinery, the sandbox boundary becomes a large and fragile attack surface.
For mature environments, the safer pattern is layered containment: isolate execution in separate processes, run those processes in containers or microVMs, remove unnecessary filesystem and network access, apply strict resource limits, and assume that a JavaScript sandbox escape is a realistic failure condition rather than an edge case.
NeuraCyb's Assessment
The vm2 vulnerabilities are a sharp reminder that sandbox libraries are not magic walls. They are code, and in JavaScript, the boundary between “guest object” and “host capability” can be surprisingly thin.
Defenders should patch quickly, but the strategic takeaway is bigger than a version bump. Any platform executing user-controlled code needs isolation that survives the failure of the library meant to contain it. Treat vm2 as one layer, not the perimeter.
References
GitHub Advisory: VM2 Sandbox Breakout Through __lookupGetter__ / CVE-2026-24118
GitHub Advisory: Sandbox Breakout Through Promise Species / CVE-2026-24120
GitHub Advisory: vm2 Sandbox Escape / CVE-2026-43997
GitHub Advisory: Sandbox Breakout via neutralizeArraySpeciesBatch / CVE-2026-44008
GitHub Release: vm2 v3.11.2 Security Fixes
