PT-2026-36848 · Npm · Vm2
Xmiliah
·
Published
2026-05-04
·
Updated
2026-05-18
·
CVE-2026-24781
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
vm2 versions prior to 3.11.0
Description
vm2 is an open source sandbox for Node.js. A sandbox breakout occurs through the
inspect() function, allowing attackers to write code that escapes the sandbox environment and executes arbitrary commands on the host system.Recommendations
Update to version 3.11.0.
As a temporary workaround, consider restricting the use of the
inspect() function until the update is applied.Fix
Code Injection
Protection Mechanism Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Vm2