CVE-2026-24781: VM2 Sandbox Breakout RCE Vulnerability

CVE-2026-24781 Overview

CVE-2026-24781 is a sandbox breakout vulnerability in vm2, an open source virtual machine and sandbox library for Node.js. Versions prior to 3.11.0 fail to properly isolate the inspect function, allowing attackers to escape the sandbox boundary. Successful exploitation enables arbitrary command execution on the host system running the embedded sandbox. The maintainers patched the issue in vm2 version 3.11.0. The flaw is classified under CWE-94: Improper Control of Generation of Code and affects any Node.js application that relies on vm2 to execute untrusted JavaScript.

Critical Impact

Attackers who can submit JavaScript to a vm2 sandbox can break out of the isolation boundary and execute arbitrary operating system commands on the host.

Affected Products

• vm2 (patriksimek/vm2) versions prior to 3.11.0
• Node.js applications embedding vulnerable vm2 versions
• Server-side platforms that execute untrusted user-supplied JavaScript through vm2

Discovery Timeline

• 2026-05-04 - CVE CVE-2026-24781 published to NVD
• 2026-05-07 - Last updated in NVD database

Technical Details for CVE-2026-24781

Vulnerability Analysis

vm2 provides a sandboxed execution context intended to run untrusted JavaScript safely inside a Node.js process. The library wraps host objects with proxies and contextifies globals to prevent sandboxed code from reaching the outer realm. CVE-2026-24781 breaks this guarantee through the inspect function, which exposes a path back to host objects that vm2 did not properly mediate. Once an attacker reaches a host-side constructor or function, they can call into Node.js built-ins such as child_process and execute arbitrary commands. The vulnerability is network-exploitable in any deployment where remote input is fed into a vm2 sandbox, for example serverless code execution services, no-code platforms, and chatbot plugin runtimes.

Root Cause

The root cause is improper isolation of the inspect function within the vm2 contextification logic. The function returned objects whose prototype chain still referenced host-realm constructors, violating the sandbox invariant that no host object should be reachable from sandboxed code. This is consistent with the CWE-94 class of code generation flaws. Technical details are documented in the GitHub Security Advisory GHSA-v37h-5mfm-c47c and the corresponding GitHub Release v3.11.0.

Attack Vector

Exploitation requires only the ability to submit JavaScript source to an application that evaluates it inside vm2. The attacker crafts a payload that invokes inspect to obtain a reference to a host-realm object. From that reference, the attacker walks the prototype chain to reach a host Function constructor. Constructing a function in the host realm and invoking it returns full Node.js privileges, including access to require('child_process').exec for shell command execution. Refer to the patch commits 8d30d93, bdd3d15, and fd266d0 for the exact code paths corrected by the maintainers.

// No verified public proof-of-concept code is referenced in the advisory.
// See GHSA-v37h-5mfm-c47c for technical details on the inspect breakout.

Detection Methods for CVE-2026-24781

Indicators of Compromise

• Node.js processes spawning unexpected child processes such as /bin/sh, bash, cmd.exe, or powershell.exe from a service that should only run JavaScript evaluation.
• Outbound network connections originating from the Node.js runtime to attacker-controlled hosts shortly after user-supplied script execution.
• Application logs containing unusual references to inspect, Function, or constructor chains submitted by external users.
• New files written to the filesystem by the Node.js service account outside expected working directories.

Detection Strategies

• Inventory all Node.js applications and dependencies and flag any package-lock entries pinning vm2 below 3.11.0.
• Monitor for process lineage where node is the parent of a shell or scripting interpreter, which is anomalous for sandboxed code execution services.
• Inspect web application logs for request bodies containing inspect(, __proto__, or constructor.constructor patterns aimed at sandbox escape.

Monitoring Recommendations

• Forward Node.js process telemetry, including command-line arguments and parent-child relationships, to a centralized analytics platform.
• Alert on egress traffic from Node.js workloads to non-allowlisted destinations.
• Track software composition analysis output across CI/CD pipelines to catch reintroduction of vulnerable vm2 versions.

How to Mitigate CVE-2026-24781

Immediate Actions Required

• Upgrade vm2 to version 3.11.0 or later in all Node.js projects and rebuild affected container images.
• Audit application dependency trees, including transitive dependencies, for any remaining references to vulnerable vm2 versions.
• Restrict network egress and filesystem permissions of services that execute untrusted JavaScript.
• Review historical logs for evidence of sandbox escape attempts targeting inspect.

Patch Information

The maintainers fixed the vulnerability in vm2 3.11.0. Apply the upgrade via npm install [email protected] or the equivalent yarn or pnpm command. The official fix is described in the GitHub Release v3.11.0 notes and the GitHub Security Advisory GHSA-v37h-5mfm-c47c. Note that the vm2 project has since been deprecated by its author in favor of alternative isolation approaches such as isolated-vm; teams should plan migration where feasible.

Workarounds

• If immediate patching is not possible, refuse user-supplied JavaScript at the application boundary until the upgrade is deployed.
• Run the Node.js service inside a hardened container or microVM with minimal capabilities, no shell, and read-only root filesystem.
• Drop the ability to spawn child processes by removing or stubbing the child_process module from the host Node.js process.

# Upgrade vm2 to the patched version
npm install [email protected] --save

# Verify resolved version across the dependency tree
npm ls vm2