CVE-2026-24118

CRITICAL

VM2 Sandbox Breakout Through __lookupGetter__

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-24118. PoCs published by HORKimhab.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-24118, targeting a vulnerable version of the vm2 sandbox (3.10.1). The exploit leverages a prototype pollution or error handling vulnerability to escape the sandbox and achieve remote code execution (RCE) on the host system.

Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.

Exploits (1)

nomisec WORKING POC
by HORKimhab · poc
https://github.com/HORKimhab/CVE-2026-24118

This repository contains a functional exploit for CVE-2026-24118, targeting a vulnerable version of the vm2 sandbox (3.10.1). The exploit leverages a prototype pollution or error handling vulnerability to escape the sandbox and achieve remote code execution (RCE) on the host system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: vm2 version 3.10.1
No auth needed
Prerequisites: Node.js environment · vm2 version 3.10.1 · Express.js for the lab setup
devstral-2 · analyzed May 07, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.0089
EPSS Percentile 54.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-693 CWE-94
Status published
Products (3)
npm/vm2 0 - 3.11.0npm
patriksimek/vm2 < 3.11.0
vm2_project/vm2 < 3.11.0
Published May 04, 2026
Tracked Since May 04, 2026