← Back
Summary
code injection in vm2-project (CVE-2026-24120). Successful exploitation can lead to full system takeover. Exploitable via ``resetPromiseSpecies``.
AI summary openai / gpt-4o
A critical security issue has been identified in vm2, a Node.js sandbox, allowing attackers to escape the sandbox and execute arbitrary code on the host system. This was patched in version 3.10.5, and prompt updating is recommended. Similar issues in the past have led to system takeovers, highlighting the need for caution.
This vulnerability exists in vm2 sandbox versions <= 3.10.3, allowing code execution on the host system via Promise objects. It has been patched in 3.10.5. With this vulnerability, attackers exploit `Object.defineProperty` and `Symbol.species` to gain access to the host's `process` object and execute commands. Affected environments should apply the patch immediately.
❓ What is the problem
vm2 sandbox escape enabling arbitrary code execution on host
📍 Affected scope
vm2 versions <= 3.10.3, patched in 3.10.5
🔥 Severity
Critical, allows remote code execution
🔧 How to fix
Update vm2 to version 3.10.5 or later
🛡️ Workaround
No workaround available, updating is mandatory
🔍 Detection
Monitor for unusual file operations such as creating files like 'pwned'
Related past incidents Similar incidents extracted from past CVEs
Previous issue in vm2 relating to sandbox escape capabilities.
Another instance of vm2 allowing sandbox escape.
If this happens at your company Expected impact per business scenario
📌 Web hosting service using vm2 for customer environments
Could enable attackers to escape from a sandboxed environment, leading to full system control.
📌 IoT devices employing Node.js and vm2 for execution isolation
Potential for remote takeover of devices.
📌 Enterprises using vm2 for running untrusted code
Risk of data leaks and unauthorized command execution on server infrastructure.
Recommended action
Organizations should urgently update to vm2 version 3.10.5 to mitigate this risk.
Response Actions (7 steps)
Concrete steps and command examples for SOC/SRE teams to execute in order
-
1Identify exposure identify
grep -r 'vm2-project' . | grep -v node_modulesリポジトリと本番環境の依存ファイル (package-lock.json / requirements.txt / go.sum / Gemfile.lock 等) で `vm2-project` を grep し、稼働しているサービス・バージョンを把握する。
-
2Match against affected range verify
Confirm if version satisfies `<= 3.10.3`Step 1 で見つかったバージョンが影響範囲 `<= 3.10.3` に該当するか照合。本番で稼働中ならインシデント扱い。
-
7Post-deployment verification verify
Confirm patched version is live in productionパッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。