External risk intelligence

vm2 Node.js sandbox escape allows attackers to run commands on your system

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-24118

An external attacker can exploit a flaw in the vm2 software to bypass its security protections and take control of your host server. This could lead to a total system compromise, potentially exposing sensitive credentials and files stored on your infrastructure.

3Halo Surface Signal

Code Injection

Vm2 Project Vm2

before 3.11.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-24118

vm2 is a software library integrated into applications, not a standalone service. While frequently used to process untrusted user input in web applications, its internet reachability is indirect and depends entirely on how the parent application exposes this sandboxing functionality to external users.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in vm2, a Node.js sandbox, allows attackers to break out of the sandbox and run unauthorized commands on the host system. This is a significant concern because it can undermine the security of applications using this library to isolate code.

Allows arbitrary code execution on host.
Impacts applications using vm2 for isolation.
Network-reachable attacks are possible.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted code to an application that uses the vulnerable `vm2` library. If the application executes this code within the `vm2` sandbox, the attacker's code could break out and run arbitrary commands on the host system. This could lead to full compromise of the server running the application.

Remote, unauthenticated access is possible.
Targets applications using `vm2` library.
Requires code execution within the sandbox.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in vm2 allows arbitrary code execution on the host system, making it a critical target. Attackers generally favor vulnerabilities that offer remote code execution with minimal prerequisites, and this CVE fits that description. The fact that it is a sandbox breakout for Node.js applications indicates a potentially widespread impact across various web services and internal tools.

Public exploit code is available.
The vulnerability is present in a widely used Node.js sandbox.
The fix is readily available via version update.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize upgrading vm2 to version 3.11.0 or later to address the critical sandbox breakout vulnerability. If immediate patching isn't feasible, isolate or take offline any services that process untrusted input through the vm2 sandbox until mitigation can be applied. Monitor for signs of command injection or unauthorized system access.

Upgrade vm2 to version 3.11.0+.
Isolate or disable services using vulnerable vm2.
Monitor for suspicious host commands.

Frequently asked questions

What is vm2 and how does it relate to Node.js security?

vm2 is an open-source sandbox designed for Node.js applications. Its purpose is to create a secure, isolated environment for executing untrusted code. This is crucial for applications that need to run code from external sources without compromising the host system.

What type of vulnerability does CVE-2026-24118 in vm2 present?

CVE-2026-24118 is a sandbox breakout vulnerability. This weakness, categorized under CWE-94 (Improper Control of Generation of Code 'Code Injection') and CWE-693 (Protection Mechanism Failure), allows attackers to escape the intended isolation of the vm2 sandbox.

How can an attacker exploit the vm2 sandbox vulnerability?

An attacker can exploit this vulnerability by crafting malicious code that, when executed within the vm2 sandbox, triggers the breakout. This allows the attacker's code to execute arbitrary commands directly on the host system, bypassing the sandbox's security measures.

What is the significance of the vm2 sandbox breakout vulnerability?

The vm2 sandbox breakout vulnerability is significant because it allows attackers to execute arbitrary code on the host system, potentially leading to a full compromise. The Halo Surface Signal indicates this is a 'Possible' threat due to vm2's integration into applications, making its exposure indirect but dependent on the parent application's design.

What actions should be taken to address the vm2 vulnerability?

The primary action is to upgrade vm2 to version 3.11.0 or a later version, which includes the fix for this vulnerability. If an immediate upgrade is not possible, consider isolating or disabling services that process untrusted input through the vulnerable vm2 sandbox until mitigation can be applied. Continuous monitoring for unusual host commands is also advised.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.