vm2: Sandbox Breakout Through Inspect

Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.

Affected Products

Vendor	Product	Versions
vm2	vm2	< 3.11.0, 3.10.x

References

https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c(x_refsource_CONFIRM)
https://github.com/patriksimek/vm2/commit/8d30d93213c1898b3e035298b89a814970dd1189(x_refsource_MISC)
https://github.com/patriksimek/vm2/commit/bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c(x_refsource_MISC)
https://github.com/patriksimek/vm2/commit/fd266d084e0a3322d0f71ba2a8dc4c96cd030228(x_refsource_MISC)
https://github.com/patriksimek/vm2/releases/tag/v3.11.0(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB6h ago

CVE-2026-24781 | patriksimek vm2 up to 3.10.x inspect code injection (GHSA-v37h-5mfm-c47c)

→ No new info (linked only)

CVSS 3.19.8 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-94, CWE-693

PublishedMay 4, 2026

Last enriched5h agov2

Trending Score71

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Version History

Last enriched 5h ago

v2Tier C5h ago

Updated affected versions to include 3.10.x and marked the vulnerability as actively exploited.

affectedVersionsactivelyExploited

via VulDB

v19h ago

Initial creation

vm2: Sandbox Breakout Through Inspect

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (2)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History