The vm2 Node.js library, a widely-deployed sandbox solution for executing untrusted JavaScript code, contains twelve critical vulnerabilities that allow complete sandbox escape and arbitrary code execution on host systems. Three of these vulnerabilities received the maximum CVSS score of 10.0, indicating the severity of the threat to organizations relying on vm2 for code isolation.
vm2 functions as a security boundary for Node.js applications that need to execute untrusted JavaScript code safely. The library intercepts and proxies JavaScript objects to prevent sandboxed code from accessing the host environment. These vulnerabilities fundamentally compromise that core security promise, allowing attackers to break free from isolation and gain full access to the underlying system.
The Critical Three: Perfect 10.0 CVSS Vulnerabilities
Three vulnerabilities stand out with maximum severity ratings. CVE-2026-43997 allows attackers to obtain the host Object and escape the sandbox through code injection, affecting all versions through 3.10.5. CVE-2026-44005 enables attacker-controlled JavaScript to escape and perform prototype pollution across versions 3.9.6 through 3.10.5. CVE-2026-44006 exploits the BaseHandler.getPrototypeOf method for sandbox escape and remote code execution in versions through 3.10.5.
All organizations using vm2 must upgrade to version 3.11.2 immediately. The vulnerabilities affect every version through 3.11.1, with multiple attack vectors available to adversaries. No workarounds exist beyond upgrading to the patched version.
Nine Additional Critical-Severity Escapes
The remaining nine vulnerabilities all carry CVSS scores between 9.1 and 9.9, each providing distinct paths to sandbox escape. CVE-2026-24118 exploits the __lookupGetter__ method, while CVE-2026-24120 represents a bypass of a previous patch (CVE-2023-37466) through promise object species properties. CVE-2026-24781 leverages the inspect function, and CVE-2026-26332 uses SuppressedError objects as escape vectors.
CVE-2026-26956 exploits a protection mechanism failure triggered by Symbol-to-string coercion TypeError, confirmed specifically on Node.js 25.6.1. CVE-2026-43999 bypasses NodeVM's built-in allowlist to load excluded builtins like child_process, directly enabling remote code execution. CVE-2026-44007 exploits improper access control to execute arbitrary operating system commands. The final two vulnerabilities, CVE-2026-44008 and CVE-2026-44009, use neutralizeArraySpeciesBatch() and null proto exceptions respectively for sandbox escape.
Pattern of Continuous Bypass Discovery
This disclosure follows patches released just months earlier for CVE-2026-22709, another critical sandbox escape vulnerability with a 9.8 CVSS score. The rapid succession of discovered vulnerabilities demonstrates a fundamental challenge in JavaScript sandbox security. vm2 maintainer Patrik Simek has previously acknowledged that new bypasses will likely continue to emerge, reflecting the inherent difficulty of securely isolating JavaScript execution.
Organizations using vm2 as a security control in CI/CD pipelines, plugin systems, or user-generated content execution face immediate supply chain risk. Any system trusting vm2 for isolation should be treated as potentially compromised until patched and reviewed for indicators of exploitation.
Technical Attack Vectors
The vulnerabilities exploit various JavaScript language features and vm2's proxying mechanisms. Attackers can leverage built-in JavaScript methods like __lookupGetter__, manipulate error handling through SuppressedError, abuse promise species properties, and exploit type coercion behaviors. The diversity of attack vectors indicates systematic weaknesses in vm2's isolation approach rather than isolated implementation bugs.
Several vulnerabilities specifically target vm2's object proxying system, which forms the core of its security model. By obtaining references to host Objects through various JavaScript features, attackers can bypass the proxy layer entirely and access the underlying Node.js environment. Once host access is achieved, executing arbitrary system commands becomes trivial.
Remediation and Detection Priorities
Organizations must upgrade to vm2 version 3.11.2 immediately. No configuration changes or workarounds provide adequate protection for earlier versions. Security teams should inventory all systems using vm2, prioritizing internet-facing applications and systems processing untrusted code from external sources.
- Audit dependency trees for vm2 usage across all Node.js applications and services
- Review logs for suspicious sandbox execution patterns or unexpected host system access attempts
- Examine systems for signs of compromise, particularly unexpected child processes or network connections
- Consider implementing additional defense-in-depth controls beyond vm2 for critical isolation requirements
- Evaluate alternative sandboxing approaches for long-term security architecture
Long-Term Security Posture
The pattern of continuous vulnerability discovery in vm2 raises questions about the viability of JavaScript-based sandboxing for high-security requirements. Organizations should reassess their reliance on vm2 as a primary security control. Alternative approaches include OS-level containerization, isolated virtual machines, or WebAssembly-based sandboxing solutions that provide stronger isolation guarantees.
For systems that must continue using vm2, implement defense-in-depth strategies. Deploy vm2-based isolation inside containers with restricted capabilities, implement strict network segmentation, and maintain comprehensive logging of all sandbox execution. Monitor the vm2 project closely for future security advisories, as the maintainer's acknowledgment of ongoing bypass potential suggests additional vulnerabilities will emerge.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us