- vm2 Node.js library users must urgently update to version 3.11.2 to patch twelve critical sandbox escape vulnerabilities.
- The flaws allow attackers to break out of the isolation environment and execute arbitrary code on the host system.
- Multiple CVSS 10.0-rated vulnerabilities were found, representing the highest severity level for remote code execution.
- Maintainer Patrik Simek has acknowledged that new bypasses in JavaScript sandboxing are likely to continue being discovered.
- The vulnerabilities affect versions up to and including 3.11.1, requiring immediate action for applications running untrusted code.
On May 07, 2026, security researcher Ravie Lakshmanan disclosed a dozen critical vulnerabilities in the popular vm2 library, which developers use to run untrusted JavaScript code in a secure sandbox. These flaws represent a severe threat to any system using affected versions of the open-source tool for code isolation.
Consequently, attackers can exploit these vulnerabilities, detailed in CVE-2026-24118 and others, to escape the sandbox entirely. This breach allows them to run arbitrary commands on the underlying host machine.
The list includes several maximum-severity issues, such as CVE-2026-43997 and CVE-2026-44005, which both carry a CVSS score of 10.0. Other critical flaws, like CVE-2026-44009, also permit sandbox escape and arbitrary command execution.
Meanwhile, this disclosure follows recent patches for another critical flaw, CVE-2026-22709, from a couple of months prior. The repeated discoveries highlight the inherent difficulty of securely isolating code in JavaScript environments.
Therefore, vm2 maintainer Patrik Simek has released updated versions to address all identified issues. Users are strongly advised to update immediately to the latest patched version, 3.11.2, for protection.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
