Vm2 Node.js sandbox escape and RCE vulnerabilities (CVE-2026-24118)
Vulnerability
Summary
Hide ▲
Show ▼
vm2 now has multiple critical vulnerabilities that can let attacker-controlled JavaScript escape the sandbox and reach the host, creating arbitrary code execution risk for affected deployments. The disclosure covers flaws such as CVE-2026-24118 and related bypasses, and the recommended fix is to move to 3.11.2.
Related Happenings
Vm2 Node.js sandbox escape (CVE-2026-26956)
Vulnerability
First: 06.05.2026 21:38
Last: 06.05.2026 21:38
Sources 1
About this happening:
A **PoC exploit** for **CVE-2026-26956** now exposes **vm2 3.10.4** deployments to **arbitrary code execution on the host**. The flaw may also affect **earlier vm2 releases**, but...
Vm2 Node.js sandbox escape (CVE-2026-26956)
VulnerabilityAbout this happening: A **PoC exploit** for **CVE-2026-26956** now exposes **vm2 3.10.4** deployments to **arbitrary code execution on the host**. The flaw may also affect **earlier vm2 releases**, but...
Terrarium CVE-2026-5752 mitigation guidance
Advisory/Mitigation
First: 22.04.2026 10:16
Last: 22.04.2026 10:16
Sources 1
About this happening:
**CERT/CC** issued mitigation guidance for **Terrarium** deployments exposed to **CVE-2026-5752**, a **sandbox-escape** flaw that can lead to **root code execution**. The advice i...
Terrarium CVE-2026-5752 mitigation guidance
Advisory/MitigationAbout this happening: **CERT/CC** issued mitigation guidance for **Terrarium** deployments exposed to **CVE-2026-5752**, a **sandbox-escape** flaw that can lead to **root code execution**. The advice i...
Vm2 Node.js sandbox library sandbox escape (CVE-2026-22709)
Vulnerability
First: 27.01.2026 18:35
Last: 27.01.2026 18:35
Sources 1
About this happening:
**vm2 Node.js sandbox library** has a critical **CVE-2026-22709** sandbox-escape flaw that can let untrusted JavaScript break out and run **arbitrary code** on the host. The weakn...
Vm2 Node.js sandbox library sandbox escape (CVE-2026-22709)
VulnerabilityAbout this happening: **vm2 Node.js sandbox library** has a critical **CVE-2026-22709** sandbox-escape flaw that can let untrusted JavaScript break out and run **arbitrary code** on the host. The weakn...
Tokio-tar remediation guidance (CVE-2025-62518)
Advisory/Mitigation
First: 22.10.2025 20:21
Last: 22.10.2025 20:21
Sources 1
About this happening:
**Edera** told developers using **tokio-tar** to **upgrade to a patched version** or **immediately remove** the dependency because **CVE-2025-62518** leaves projects exposed to ar...
Tokio-tar remediation guidance (CVE-2025-62518)
Advisory/MitigationAbout this happening: **Edera** told developers using **tokio-tar** to **upgrade to a patched version** or **immediately remove** the dependency because **CVE-2025-62518** leaves projects exposed to ar...
Timeline
-
07.05.2026 07:15 2 articles · 20d ago
vm2 vulnerability disclosure
Initial DisclosureDisclosure for the vm2 Node.js library identifies 12 critical vulnerabilities affecting versions through 3.11.1, including sandbox escape paths through __lookupGetter__, inspect, SuppressedError, NodeVM allowlist bypasses, BaseHandler.getPrototypeOf, neutralizeArraySpeciesBatch(), null proto exceptions, and prototype pollution; the reported impact is arbitrary code execution or remote code execution on the underlying host, and operators are advised to upgrade to 3.11.2.
Show sources
- vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution — thehackernews.com — 07.05.2026 07:15
- vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution — thehackernews.com — 07.05.2026 07:15