CVE-2026-24118
Sandbox Breakout in vm2 Allows Arbitrary Code Execution
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vm2 | vm2 | to 3.11.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade vm2 to version 3.11.0 or later, as this version contains the patch that fixes the sandbox breakout issue.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an attacker to execute arbitrary commands on the host system by escaping the sandbox. This can lead to full system compromise, unauthorized access to sensitive data, disruption of services, and potential further exploitation of the affected system.
Can you explain this vulnerability to me?
The vulnerability exists in vm2, an open source virtual machine and sandbox for Node.js. Prior to version 3.11.0, vm2 has a sandbox breakout vulnerability that allows attackers to write code that escapes the sandbox environment. This means the attacker can execute arbitrary commands on the host system outside the intended isolated environment.