vm2 — Dozen Critical Sandbox Escape CVEs in Node.js Code Execution Library

AI relevance: vm2 is widely used by AI coding agents, code interpreters, and LLM-powered code execution platforms to sandbox untrusted JavaScript — every one of these twelve bypasses means an injected prompt can escape the sandbox and run arbitrary code on the host machine.

• CVE-2026-24118 (CVSS 9.8) — Sandbox escape via __lookupGetter__ on proxied objects, allowing sandboxed code to reach host prototypes and execute arbitrary code.
• CVE-2026-24120 (CVSS 9.8) — Prototype pollution through frozen object manipulation that breaks vm2's proxy-based isolation boundary.
• CVE-2026-24781 (CVSS 9.8) — Host object reference leak via cross-realm object comparison, exposing native Node.js APIs to sandboxed code.
• CVE-2026-43999 (CVSS 9.9) — NodeVM builtin allowlist bypass via Module._load(). The module builtin loads any module by name directly in the host context, completely bypassing vm2's builtin restriction and enabling access to blocked builtins like child_process.
• CVE-2026-43997 — Host object access escape via direct host property traversal.
• CVE-2026-43998 — Sandbox escape via symlink bypass in the virtual filesystem layer.
• CVE-2026-44005 through CVE-2026-44009 — Additional sandbox bypasses covering proxy handler manipulation, realm confusion, and constructor leakage.
• Multiple researchers contributed findings: XmiliaH reported five flaws, with additional discoveries by 0x5t, c0rydoras, bugbunny-research, hongancalif, and Akshat Sinha.
• Patches are available in vm2 3.11.2. Maintainer Patrik Simek has acknowledged that new bypasses will likely continue to be discovered as JavaScript and Node.js evolve.

Why it matters

vm2 is the go-to JavaScript sandbox for AI code execution platforms. When LLM agents are given code interpreter tools, vm2 is often the isolation layer. Each of these twelve bypasses represents a path from "LLM generates malicious JS" to "host compromise." The recurring pattern — prototype pollution, proxy handler bugs, realm confusion — reflects a fundamental challenge: JavaScript's dynamic object model is inherently hostile to sandbox boundaries built on proxy interception.

What to do

• Update to vm2 3.11.2 immediately if you use it for AI code execution or code interpreters.
• Consider replacing vm2 with process-level isolation (Docker containers, firejail, or gVisor) for untrusted code execution — proxy-based JS sandboxes have proven fundamentally fragile.
• Audit AI agent configurations: disable code execution tools unless strictly required, and restrict to read-only operations where possible.

Sources

• The Hacker News — vm2 Node.js Library Vulnerabilities Enable Sandbox Escape
• GitLab Advisory — CVE-2026-43999 (NodeVM allowlist bypass)
• GitHub Advisory — CVE-2026-24118
• vm2 v3.11.2 Release