CVE Catalog

CVE-2026-24781

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.16%

63th percentile — higher than 63% of all known CVEs

Summary

A vulnerability in the vm2 library for Node.js allows sandbox escape via the inspect function. Attackers can execute arbitrary commands on the host system.

Risk Assessment

The organization risks full system compromise if an attacker exploits this vulnerability in an application using vm2.

Recommendation

Immediately update the vm2 library to version 3.11.0 or later.

Original NVD description (English source)

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS