vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution

vm2 Node.js library has disclosed a dozen critical security vulnerabilities allowing sandbox escape and arbitrary code execution.

• •Vulnerabilities exploit __lookupGetter__, inspect function, SuppressedError, and prototype pollution to breach the sandbox
• •CVSS scores range from 9.1 to 10.0, affecting versions 3.9.6 through 3.11.1
• •Critical CVEs include CVE-2026-24118, CVE-2026-43997, CVE-2026-44005, and CVE-2026-44006 enabling arbitrary code execution
• •vm2 is an open-source library executing untrusted JavaScript in a secure sandbox via object interception and proxying
• •Users should update to version 3.11.2 to protect against all identified vulnerabilities

This summary was automatically generated by AI based on the original article and may not be fully accurate.