CVE Catalog

CVE-2026-24120

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.90%

55th percentile — higher than 55% of all known CVEs

Summary

A vulnerability in the vm2 library for Node.js allows bypassing the fix for CVE-2023-37466. Attackers can write code that escapes the VM2 sandbox and executes arbitrary commands on the host system.

Risk Assessment

The risk for the organization is critical as attackers can gain full control over the host system, leading to compromise of data confidentiality, integrity, and availability.

Recommendation

Immediately update the vm2 library to version 3.10.5 or later, which includes a patch that fixes this vulnerability.

Original NVD description (English source)

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS