CVE-2026-24120: CVE-2026-24120: Remote Code Execution via Promise Species Hijacking in vm2 Sandbox

1 / 2

CVE-2026-24120: CVE-2026-24120: Remote Code Execution via Promise Species Hijacking in vm2 Sandbox

DEV Community·CVE Reports·27 days ago

#9rVSFBDn

#githubreleasev3105 #exploit #security #cve #code #promise

Reading 0:00

15s threshold

CVE-2026-24120: Remote Code Execution via Promise Species Hijacking in vm2 Sandbox Vulnerability ID: CVE-2026-24120 CVSS Score: 9.8 Published: 2026-05-05 An incomplete mitigation for a previous sandbox escape in the vm2 Node.js module allows attackers to execute arbitrary code on the host system. By manipulating Promise species and intercepting internal method calls via prototype pollution, attackers bypass sandbox protections and gain full host access. TL;DR vm2 prior to version 3.10.5 contains a critical sandbox escape (CVSS 9.8). Attackers bypass internal security wrappers by overwriting Function.prototype.call and hijacking Promise creation, achieving unauthenticated remote code execution on the host system.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

CVE-2026-24120: CVE-2026-24120: Remote Code Execution via Promise Species Hijacking in vm2 Sandbox