—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in vm2 Node.js Library

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

vm2 Node.js versions prior to 3.11.2

Overview

Multiple vulnerabilities have been reported in the vm2 Node.js library which could allow a remote attacker to bypass sandbox restrictions and execute arbitrary code on the targeted system.

Target Audience:

Organizations and individuals using the vm2 library in Node.js applications for sandboxed JavaScript execution.

Risk Assessment:

High risk of remote code execution, sandbox escape, data theft.

Impact Assessment:

Potential for system compromise, arbitrary code execution.

Description

vm2 is a popular sandbox library for Node.js that enables the execution of untrusted JavaScript code within isolated environments.

Multiple vulnerabilities exist in the vm2 library due to sandbox escape flaws, code injection flaws and a flaw that allows bypassing of NodeVM protections.

Successful exploitation of these vulnerabilities could allow a remote attacker to bypass sandbox restrictions and execute arbitrary code on the targeted system.

Solution

Apply appropriate updates as mentioned:

https://www.npmjs.com/package/vm2

Vendor Information

 

https://www.npmjs.com/package/vm2

References

The Hacker News

https://thehackernews.com/2026/05/vm2-nodejs-library-vulnerabilities.html

CVE Name

CVE-2026-24118

CVE-2026-24120

CVE-2026-24781

CVE-2026-26332

CVE-2026-26956

CVE-2026-43997

CVE-2026-43999

CVE-2026-44005

CVE-2026-44006

CVE-2026-44007

CVE-2026-44008

CVE-2026-44009

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoB9PUACgkQ3jCgcSdc

ys8biw//TMxtqfFKzjT8uDB4hi7ejBRQRjML2WytIldQvezTcPwO099+6U8+1Ms3

/K0gkNbz+ZAN7GMSMVoiTuiKXGRF4Fn0wZ1goH+OI7Rpt+a+1Hi10jiVdme9vTIs

qqhmQUmRhe+dkFPetQnMahrPwKcEWdJe7SLIT/dnxW9xY/kK2+L5P3yHCR6TowvM

0ihxNHjrwuYGS0PFLZsAEipswkXCbutoI31TJsHWeeCFbOvuF+2jsYHWmKWGQhdA

SuX9J/WezxNmYoJc72WDe3yezbylNMvH+J3ll3Wd2OycLIU/fgsNzFqeG02EPwsO

aXC+XUATkqqNw59xEwHR9cYk7FlIVncHKV6miCJ1RoWl8TS4KGlqB5JvKAQsToTk

J3kFx8sZaGc87+R1eqfa+9SSMRD03GmCwPxf3geVO878wTNF+Oe6Im55fnmaYgSr

U4bG5m75Z2BNcFplgnH4VHqypo2UmTLsfC2k+r19zmgU/KvSauSrUu7U4nnDTfPY

u7nF89GAzYozM5Z+xb3no2rs5Y7bp7I8AySGkZ5BuZFyGDq/Tfuh2wYqATbIjxKY

lqVzYBJWPdZ80Fu8fnHTWmkSN3xeJXvpH7SV/Uc8uCosBRj3r3hYWcolgYO/E6PH

PaITJ5p0XdGCjjU5ONLY0nUjtFLw8xmcypDgBFbsjvNeeeOpUJ4=

=WbbP

—–END PGP SIGNATURE—–