A dozen critical security vulnerabilities have been disclosed in a popular Node.js library used for executing untrusted code in a secure sandbox. These flaws allow attackers to break out of the intended isolation and execute arbitrary commands on the underlying host system.
Tracked as CVE-2026-24118 ❨CVSS 9.8❩, the primary vulnerability allows for sandbox escape via specific getter methods. Another critical flaw, CVE-2026-24120, represents a patch bypass for a previous high-severity bug. These vulnerabilities impact any application that utilizes the vm2 library to run untrusted JavaScript, such as online code editors or automated testing platforms.
When a sandbox library fails, it effectively neutralizes the primary security control for executing external code. For cloud-native environments, a sandbox escape allows an attacker to pivot from a limited application context to full administrative control of the host or container.
– Update the vm2 library to version 3.11.0 or higher immediately across all projects and dependencies.
– Audit any application that uses vm2 to ensure it is not processing unverified or untrusted code without additional security layers.
– Implement strict container isolation and use least-privilege service accounts to limit the blast radius of a potential sandbox escape.
– Consider transitioning to more robust isolation methods, such as WebAssembly or dedicated virtualization, for high-risk code execution tasks.
The failure of a core isolation library turns every piece of untrusted code into a potential remote code execution vector for the underlying infrastructure. #CodeDefence #NodeJS #vm2 #SandboxEscape #AppSec
/
