CVE 9.8 CRITICAL

vm2: Sandbox Breakout Through Promise Species_CVE-2026-24120

May 4, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.

AI Analysis

Sandbox breakout vulnerability allowing arbitrary command execution on the host system

Basic Information

ID CVE-2026-24120

Source GitHub_M

Published May 4, 2026 at 16:31

Affected Product

Vendor patriksimek

Product vm2

Version < 3.10.5

Affected Versions patriksimek vm2 < 3.10.5

CWE Classification

CWE-693 CWE-94

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor patriksimek

Product vm2

Version < 3.10.5

References

{
    "lastseen": "",
    "description": "vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.",
    "published": "2026-05-04T16:31:13.639Z",
    "modified": "2026-05-04T16:31:13.639Z",
    "type": "cve",
    "title": "vm2: Sandbox Breakout Through Promise Species",
    "source": "GitHub_M",
    "references": "https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p\nhttps://github.com/patriksimek/vm2/releases/tag/v3.10.5",
    "id": "CVE-2026-24120",
    "bulletinFamily": "",
    "cwe": [
        "CWE-693",
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "patriksimek vm2 < 3.10.5",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "vm2",
    "version": "< 3.10.5",
    "vendor": "patriksimek",
    "ai_description": "Sandbox breakout vulnerability allowing arbitrary command execution on the host system",
    "ai_severity": "Critical",
    "ai_vendor": "patriksimek",
    "ai_product": "vm2",
    "ai_version": "< 3.10.5",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply