AI description
CVE-2023-37466 is a sandbox escape vulnerability found in the `vm2` library, an advanced virtual machine and sandbox for Node.js, affecting versions up to 3.9.19. This flaw allows attackers to bypass Promise handler sanitization by exploiting the `@@species` accessor property. By leveraging this vulnerability, an attacker can escape the `vm2` sandbox environment and execute arbitrary code on the host system. Due to critical security issues like this, maintenance of the `vm2` project has been discontinued, and its use in production environments is not recommended.
- Description
- vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox. Version 3.10.0 contains a patch for the issue.
- Source
- security-advisories@github.com
- NVD status
- Modified
- Products
- vm2
CVSS 3.1
- Type
- Primary
- Base score
- 10
- Impact score
- 6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- Severity
- CRITICAL
- Hype score
- Not currently trending
Your Node.js sandbox is broken. Patch before your AI agent runs user code. vm2 CVE-2026-24120 (CVSS 9.8): bypass of CVE-2023-37466 lets attackers escape the VM and run host commands. Update to 3.11.2. Your agent's sandbox has a known exploit. https://t.co/t9aNIWKbWr
@so_sthbryan
11 May 2026
67 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Node.js向けサンドボックスライブラリ「vm2」に、ホスト上での任意コード実行に至るサンドボックス脱出の脆弱性が12件、まとめて公開されています。GitHub/CNAのCVSSでは10.0が3件、9.9が1件、残り8件は9.1〜9.8とさ
@MalwareBibleJP
7 May 2026
1713 Impressions
1 Retweet
15 Likes
4 Bookmarks
0 Replies
0 Quotes
🔴 (Nodejs vm2), Sandbox Escape via nesting:true bypassing require:false, #CVE-2023-37466 (Critical) https://t.co/aX1MRQuQmb
@dailycve
7 May 2026
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨*CVE* CVE-2026-24120 vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write … https://t.co/sARNh3pR3T ----- Traducción: CVE-2026-24120 vm2… https://t.co/utmtNg
@infoflowcloud
4 May 2026
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-24120 vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write … https://t.co/miSzdzYqSH
@CVEnew
4 May 2026
180 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "5F54A6F9-FD6B-4E23-A6B7-616952129C1C",
"versionEndIncluding": "3.9.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]