A Dozen Critical vm2 Node.js Sandbox Escape Flaws Disclosed — Update to 3.11.2 Immediately
Summary
Twelve critical security vulnerabilities have been disclosed in vm2, the widely-used Node.js library for running untrusted JavaScript inside sandboxed environments. The flaws — including CVE-2026-24118, CVE-2026-24120, CVE-2026-24781, and CVE-2026-26332, several carrying CVSS scores of 9.8 — allow attackers to break out of the vm2 sandbox entirely and execute arbitrary code on the host system.
The vulnerabilities exploit various JavaScript internals such as __lookupGetter__ and proxy mechanisms to bypass vm2’s sandboxing protections. Library maintainer Patrik Simek has released version 3.11.2 with patches for all twelve flaws, and has acknowledged that future bypass discoveries are likely given the inherent difficulty of securing JavaScript sandbox environments.
This latest batch comes just two months after a previous critical sandbox escape (CVE-2026-22709) was patched, raising questions about the long-term viability of JavaScript-based sandbox isolation.
Source
Commentary
Twelve sandbox escapes in a single disclosure is a red flag that should prompt any team using vm2 in production to seriously evaluate their architecture. The library is popular because running untrusted code in Node.js is genuinely hard — but this track record suggests that vm2’s approach of intercepting and proxying JavaScript objects may have fundamental limitations.
If you’re using vm2 for anything beyond development tooling — think serverless functions, plugin systems, or multi-tenant code execution — it’s time to consider process-level or container-level isolation instead. A sandbox that keeps getting broken isn’t really a sandbox anymore.
