Arbitrary Code Execution Vulnerability in vm2 for Node.js by Patrik Símek
CVE-2026-24120

9.8CRITICAL

Key Information:

Vendor: Patriksimek
Status: Vm2
Vendor: CVE Published:; 4 May 2026

🔔 Create Patriksimek Vulnerability Alert

What is CVE-2026-24120?

The vm2 library, a popular sandboxing tool for Node.js, contains a vulnerability that permits attackers to craft malicious code capable of escaping the confines of the vm2 sandbox. Versions earlier than 3.10.5 are susceptible to this issue, which results from an inadequate fix for a previous vulnerability. Once exploited, it can allow unauthorized code execution on the host system, significantly affecting system integrity and security. Users are advised to update to version 3.10.5 or later to safeguard against these risks.

Affected Version(s)

vm2 < 3.10.5

References

https://github.com/patriksimek/vm2/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/patriksimek/vm2/releases/tag/v3.10.5

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Jan 21, 2026

CVE-2026-24120 Data

JSON