Skip to main content
Application Security Standards
vm2 Sandbox Escapes: A TeardownIncident
4 min readFor Security Engineers

vm2 Sandbox Escapes: A Teardown

What Happened

The vm2 library, a widely-used Node.js sandbox for executing untrusted JavaScript code, suffered multiple critical vulnerabilities that allowed attackers to break out of the sandbox and execute arbitrary code on the host system. The most severe vulnerability, CVE-2026-43997, received a CVSS score of 10.0. Another critical issue, CVE-2026-24118, exploited the __lookupGetter__ method to achieve sandbox escape in versions up to 3.10.4.

These vulnerabilities were not just theoretical. They represented complete sandbox failures: an attacker could submit malicious code that would run with the same privileges as the Node.js process itself, bypassing every protection vm2 was designed to provide.

Timeline

The timeline for discovery and disclosure varies by CVE, but the pattern is consistent:

  • Initial vulnerability discovery: Security researchers identified multiple escape vectors.
  • CVE assignment: CVE-2026-24118 (versions ≤ 3.10.4) and CVE-2026-43997 (versions ≤ 3.10.5) were formally documented.
  • Patch release: Maintainer Patrik Simek released updates addressing the vulnerabilities.
  • Public disclosure: Details became public, urging immediate updates.

The critical window—between vulnerability existence and patch deployment—left any organization running vulnerable versions exposed to complete system compromise.

Which Controls Failed or Were Missing

Sandboxing Architecture

The fundamental control failure was in vm2's isolation mechanism. The library attempted to create a secure boundary between untrusted code and the Node.js runtime, but the implementation allowed prototype chain manipulation and property accessor abuse to pierce that boundary.

Your sandboxing strategy failed if you:

  • Relied on a single library for critical security isolation.
  • Didn't implement multiple layers of defense around sandbox execution.
  • Ran sandboxed code with elevated privileges.
  • Lacked process-level isolation (containers, separate processes).

Dependency Monitoring

Most organizations running vm2 lacked visibility into:

  • Which applications used the library.
  • What versions were deployed.
  • Whether patches had been applied across all environments.

This is a Software Bill of Materials (SBOM) problem. If you can't enumerate your dependencies quickly, you can't patch them effectively.

Vulnerability Response Process

The gap between patch availability and patch deployment created exposure. Organizations without automated dependency scanning and update workflows remained vulnerable for days or weeks after fixes were released.

What the Standards Require

OWASP ASVS v4.0.3

Requirement 5.3.3: Verify that the application has defenses against HTTP parameter pollution attacks.

While this requirement addresses parameter handling specifically, the principle extends to any untrusted input execution. Your sandbox must handle malicious input without compromise.

Requirement 14.2.1: Verify that all components are up to date, preferably using a dependency checker during build or compile time.

This directly addresses the vm2 scenario. You need automated tooling that flags vulnerable dependencies before they reach production.

NIST 800-53 Rev 5

SI-3 (Malicious Code Protection): Employ malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code.

Running untrusted code requires multiple layers of protection. A sandbox is one layer; you also need:

  • Runtime application self-protection (RASP).
  • Container isolation.
  • Restricted service accounts.
  • Network segmentation.

CM-8 (Information System Component Inventory): Develop and document an inventory of information system components.

Your SBOM should list every dependency, version, and vulnerability status. If vm2 is in your stack, you need to know which applications use it, where they run, and what data they access.

PCI DSS v4.0.1

Requirement 6.3.2: Maintain an inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software to facilitate vulnerability and patch management.

For organizations processing payment data, this isn't optional. You must maintain a current inventory that includes libraries like vm2.

Requirement 6.2.2: Applicable vendor security patches are installed within one month of release.

The one-month clock starts when Patrik Simek publishes a patch, not when you notice it. Your process must detect new releases and trigger your update workflow automatically.

Lessons and Action Items for Your Team

1. Never Trust a Single Sandbox

Implement multiple layers of defense for code execution:

  • Run sandboxed code in containers with minimal privileges.
  • Use separate processes, not just separate contexts.
  • Apply seccomp or AppArmor profiles to restrict system calls.
  • Monitor for unexpected file access, network connections, or process creation.

2. Build an Automated Dependency Pipeline

Deploy these tools this week:

  • Dependabot or Renovate: Automated pull requests for dependency updates.
  • npm audit or Snyk: Vulnerability scanning in CI/CD.
  • SBOM generation: Tools like Syft or CycloneDX to document your dependency tree.

Set a policy: Critical vulnerabilities (CVSS ≥ 9.0) require patches within 72 hours. High vulnerabilities (CVSS ≥ 7.0) within two weeks.

3. Map Dependencies to Business Risk

Not all vm2 deployments carry equal risk. Ask:

  • What data can the sandboxed code access?
  • What privileges does the Node.js process run with?
  • Is the sandbox exposed to external input or only internal scripts?

Your highest-risk deployments need immediate attention. Lower-risk instances can follow your standard patch cycle, but they still need tracking.

4. Test Your Sandbox Assumptions

Schedule a tabletop exercise: Assume an attacker achieves arbitrary code execution in your sandbox environment. Map:

  • What data they can access.
  • What systems they can reach.
  • What privileges they inherit.
  • How quickly you'd detect the breach.

If the answer to any of these is "everything" or "we wouldn't know," your architecture needs revision.

5. Document Your Untrusted Code Execution Policy

Write down:

  • Which sandboxing technologies you permit.
  • What additional controls must surround them.
  • How you monitor for sandbox escapes.
  • Your update SLA for sandbox libraries.

This documentation satisfies ISO 27001 Annex A.8.1 (Inventory of assets) and gives your team clear guidance when evaluating new libraries or frameworks.

The vm2 vulnerabilities weren't anomalies—they're examples of an ongoing challenge in isolating untrusted code. Your response determines whether a library vulnerability becomes a security incident.

Topics:Incident

You Might Also Like

PromptMink: How North Korea Weaponized AI Coding Agents
4 min readFor Security Engineers

PromptMink: How North Korea Weaponized AI Coding Agents

What Happened In September 2024, North Korea s Chollima APT group launched PromptMink, a supply-chain attack targeting AI coding agents. The attackers published two malicious npm packages — @hash-vali

Read
When Google's Own Apps Became the Attack Vector
5 min readFor Security Engineers

When Google's Own Apps Became the Attack Vector

In early 2024, Google acknowledged a significant security gap: there was no reliable way to verify that the Google apps on your Android device were the exact ones Google intended to release. Digital s

Read
DAEMON Tools Trojan: A Build Pipeline Breach
4 min readFor Security Engineers

DAEMON Tools Trojan: A Build Pipeline Breach

On May 5, 2025, Disc Soft Limited confirmed that their DAEMON Tools Lite software had been compromised at the source. Security researchers at Kaspersky had already detected this breach. Version 12.5.1

Read