CVE-2026-24120: vm2 Sandbox Escape Allows Host Command Execution
The National Vulnerability Database reports a critical vulnerability, CVE-2026-24120, in vm2, an open-source vm/sandbox for Node.js. This flaw, present in versions prior to 3.10.5, allows attackers to bypass an earlier patch for CVE-2023-37466. The consequence is severe: a successful exploit enables an attacker to escape the vm2 sandbox and execute arbitrary commands on the host system.
Rated with a CVSS score of 9.8 (CRITICAL), this vulnerability represents a complete compromise of confidentiality, integrity, and availability. The attack vector is network-based, requires no user interaction, and has low attack complexity, making it highly exploitable. This isn’t just a bug; it’s a fundamental breakdown of the sandbox’s core security promise.
Defenders using vm2 must recognize that sandboxing is only as strong as its weakest link. A sandbox escape means all bets are off. The National Vulnerability Database confirms this issue has been patched in vm2 version 3.10.5. Organizations leveraging vm2 for untrusted code execution need to treat this as an immediate, high-priority update.
What This Means For You
- If your applications use vm2 for Node.js sandboxing, you are directly exposed to host system compromise. This isn't theoretical; it's a bypass of an existing fix, demonstrating persistence in attacker methodologies. Update to vm2 version 3.10.5 immediately. Audit any systems running older vm2 versions for anomalous activity, as this exploit allows for arbitrary command execution.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-24120: vm2 Sandbox Escape - Host Command Execution via Node.js
title: CVE-2026-24120: vm2 Sandbox Escape - Host Command Execution via Node.js
id: scw-2026-05-04-ai-1
status: experimental
level: critical
description: |
Detects potential exploitation of CVE-2026-24120 by identifying Node.js processes executing code that attempts to leverage vm2's sandbox escape vulnerabilities. This is indicated by the presence of 'vm.runInNewContext' or 'vm.runInThisContext' in the command line, which are functions commonly used by vm2 and targeted by this exploit.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-24120/
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- 'node.exe'
CommandLine|contains:
- 'vm.runInNewContext'
- 'vm.runInThisContext'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-24120 | RCE | vm2 sandbox escape |
| CVE-2026-24120 | RCE | vm2 < 3.10.5 |
| CVE-2026-24120 | RCE | Node.js vm/sandbox |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 04, 2026 at 20:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Prometheus CVE-2026-42154: Unauthenticated Memory Exhaustion Vulnerability
CVE-2026-42154 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not...
Prometheus Azure AD OAuth Secret Exposed via Plaintext Config
CVE-2026-42151 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD...
CVE-2026-25863: WordPress Plugin DoS Vulnerability Hits Contact Form 7
CVE-2026-25863 — Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the...