CVE-2026-24120
CriticalCVSS 9.8Exploitation Probability (EPSS)
Elevated risk55th percentile — higher than 55% of all known CVEs
Summary
A vulnerability in the vm2 library for Node.js allows bypassing the fix for CVE-2023-37466. Attackers can write code that escapes the VM2 sandbox and executes arbitrary commands on the host system.
Risk Assessment
The risk for the organization is critical as attackers can gain full control over the host system, leading to compromise of data confidentiality, integrity, and availability.
Recommendation
Immediately update the vm2 library to version 3.10.5 or later, which includes a patch that fixes this vulnerability.
Original NVD description (English source)
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.

