Description
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.
Published: 2026-05-04
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

vm2, an open source VM/sandbox for Node.js, has a vulnerability that allows attackers to escape the sandbox through the inspect function. This flaw lets an attacker write and run code that bypasses the VM2 boundary and triggers arbitrary command execution on the host system. The weakness demonstrates improper isolation and code execution controls, which are mapped to CWE‑693 and CWE‑94.

Affected Systems

The issue affects the patriksimek:vm2 product. Any installation of vm2 prior to version 3.11.0 is vulnerable. Version 3.11.0 and later contain the fix.

Risk and Exploitability

The CVSS score of 9.8 reflects high severity with complete availability, integrity, and confidentiality compromise. EPSS data is unavailable, so current exploit likelihood cannot be quantified, but the absence of a KEV listing does not diminish the risk. The likely attack vector is through a Node.js application that incorporates vm2, where an adversary can inject malicious payloads into the inspect interface to break out of the sandbox and execute system commands.

Generated by OpenCVE AI on May 4, 2026 at 19:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vm2 to version 3.11.0 or newer to apply the vendor patch that closes the sandbox escape path.
  • If immediate upgrade is not possible, restrict or remove the use of the inspect function in any vm2 instance to mitigate potential exploitation.
  • Review all Node.js applications using vm2 for additional hardening measures, such as limiting filesystem and network access within the VM, to reduce the impact of a possible breach until a patch can be applied.

Generated by OpenCVE AI on May 4, 2026 at 19:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Patriksimek
Patriksimek vm2
Vendors & Products Patriksimek
Patriksimek vm2

Mon, 04 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.
Title vm2: Sandbox Breakout Through Inspect
Weaknesses CWE-693
CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Patriksimek Vm2
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T17:15:45.844Z

Reserved: 2026-01-26T21:06:47.869Z

Link: CVE-2026-24781

cve-icon Vulnrichment

Updated: 2026-05-04T17:14:09.275Z

cve-icon NVD

Status : Received

Published: 2026-05-04T17:16:21.960

Modified: 2026-05-04T17:16:21.960

Link: CVE-2026-24781

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:30:02Z

Weaknesses