← Back
CVE-2026-24118
critical
CVSS 9.8
Code Injection in vm2-project (CVE-2026-24118)
Summary
code injection in vm2-project (CVE-2026-24118). Successful exploitation can lead to full system takeover. Exploitable via ``__lookupGetter__``.
AI summary openai / gpt-4o
There is a critical vulnerability in the vm2 library for Node.js. Without patching, attackers could use this library to take control of the server. This issue is fixed in version 3.11.0, and it is recommended to update immediately. This vulnerability could pose severe risks similar to past issues like Heartbleed.
A sandbox breakout vulnerability in vm2, a Node.js virtual machine library, allows attackers to execute code in the host environment. Affected versions are <=3.10.4, patched in 3.11.0. Exploitation involves using the `__lookupGetter__` method with `Buffer.apply` to invoke the host `apply` method, enabling arbitrary code execution on the host. There is no workaround; updating to the latest version is necessary.
❓ What is the problem
Sandbox breakout in vm2 allowing arbitrary code execution on the host system.
📍 Affected scope
Within vm2 library running untrusted code.
🔥 Severity
Critical severity with CVSS 9.8, remote exploitation possible without user interaction.
🔧 How to fix
Update to vm2 version 3.11.0 or later.
🛡️ Workaround
No known workarounds.
🔍 Detection
Monitor for unexpected file changes or command execution suggesting unauthorized access.
Related past incidents Similar incidents extracted from past CVEs
Similar vulnerability in Spring Framework allowing RCE via data binding.
Heartbleed vulnerability where memory leak allowed sensitive data exposure.
Log4Shell vulnerability in Apache Log4j allowing RCE via JNDI lookup.
If this happens at your company Expected impact per business scenario
📌 Web-based application
The attacked system could be fully compromised, allowing data theft and unauthorized access to resources.
📌 Internal business application
Critical business processes could be disrupted, leading to loss of productivity and financial damage.
📌 Cloud-based service provider
The provider's systems could be used to further launch attacks on client systems, damaging reputation and leading to compliance issues.
Recommended action
Company should immediately upgrade to vm2 version 3.11.0 and review systems for signs of past exploitation.
Response Actions (7 steps)
Concrete steps and command examples for SOC/SRE teams to execute in order
-
1Identify exposure identify
grep -r 'vm2-project' . | grep -v node_modulesリポジトリと本番環境の依存ファイル (package-lock.json / requirements.txt / go.sum / Gemfile.lock 等) で `vm2-project` を grep し、稼働しているサービス・バージョンを把握する。
-
2Match against affected range verify
Confirm if version satisfies `<= 3.10.4`Step 1 で見つかったバージョンが影響範囲 `<= 3.10.4` に該当するか照合。本番で稼働中ならインシデント扱い。
-
7Post-deployment verification verify
Confirm patched version is live in productionパッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。
References
- exploit 134c704f-9b21-4f2e-91b3-4a467353bcc0
- patch [email protected]
- patch [email protected]
- web [email protected]