12 Critical Vulnerabilities Found in vm2 Node.js Library

-

Security researchers have disclosed a total of twelve vulnerabilities in vm2, a widely used open-source Node.js library, several of which carry the maximum possible CVSS score of 10.0. All affected versions up to and including 3.11.1 are impacted, and users are strongly urged to upgrade to the newly released version 3.11.2 immediately.

What Is vm2?

vm2 is a Node.js sandbox library designed to safely execute untrusted JavaScript code in an isolated environment, preventing that code from accessing the underlying host system. It is commonly used in platforms that need to run user-supplied or third-party scripts without exposing the server to risk. The discovery of these flaws fundamentally undermines that security guarantee.

What the Vulnerabilities Allow

All twelve flaws share a common and critical outcome: they enable sandbox escape, meaning an attacker can break out of the isolated environment and execute arbitrary code directly on the host machine. Several of the vulnerabilities also allow privilege escalation, prototype pollution, and the bypassing of built-in security allowlists, for example, loading restricted Node.js modules like child_process that would normally be blocked.

The flaws exploit a range of JavaScript internals, including the __lookupGetter__ method, the species property of Promise objects, the inspect function, SuppressedError, Symbol-to-string coercion, prototype chain manipulation via BaseHandler.getPrototypeOf, and weaknesses in the neutralizeArraySpeciesBatch() function, among others.

The most severe among them CVE-2026-43997, CVE-2026-44005, and CVE-2026-44006 all carry a perfect CVSS score of 10.0, while CVE-2026-43999 scores 9.9. The remaining flaws score between 9.1 and 9.8, placing every single one of the twelve in the critical severity range.

A Pattern of Bypass After Bypass

This latest batch of disclosures follows a critical sandbox escape flaw patched just a few months ago in January 2026. The vm2 maintainer, Patrik Simek, has previously acknowledged that the challenge of securely sandboxing JavaScript is ongoing, and that new bypasses are likely to continue emerging. Each patch has been followed by researchers finding new ways around the protections, a pattern that highlights the fundamental difficulty of enforcing strong isolation boundaries within the JavaScript runtime itself.

What to Do

Any application or service relying on vm2 to sandbox untrusted code should treat this as an urgent update. Upgrade to vm2 version 3.11.2 as soon as possible. Teams that cannot update immediately should consider disabling or restricting access to any functionality that relies on vm2 until the patch can be applied, given the critical severity of the vulnerabilities and the ease with which sandbox escapes can lead to full host compromise.

Resources

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more