vm2 Sandbox Escape (CVE-2026-24118): RCE Risk for SAMA Banks

A wave of twelve critical vulnerabilities in the popular vm2 Node.js sandbox library — headlined by CVE-2026-24118 (CVSS 9.8) and CVE-2026-24120 — allows attackers to escape the sandbox and execute arbitrary commands on the underlying host. For Saudi banks and fintechs running Node.js-based digital channels, payment orchestration, and serverless workloads, this is a direct RCE pathway that maps cleanly to SAMA CSCC application security obligations.

What CVE-2026-24118 and CVE-2026-24120 actually break

vm2 is widely used to execute untrusted JavaScript inside a "safe" V8 context — common patterns in financial services include rule engines, low-code workflow builders, fraud-scoring expressions, customer-facing developer playgrounds, and chatbot logic. CVE-2026-24118 exploits the __lookupGetter__ mechanism to leak direct references to host-realm objects, which collapses the boundary between guest and host. CVE-2026-24120 bypasses the incomplete patch for the older CVE-2023-37466 by abusing Promise species hijacking, then pivots into child_process.execSync to spawn arbitrary OS commands. Both result in full remote code execution on the Node.js host.

Why this is worse than a normal Node.js CVE

vm2's maintainers have officially deprecated the library, stating that the V8 execution model cannot be reliably hardened against recursive prototype escapes. That means there is no long-term secure version — patched releases (3.11.0 and 3.11.2) close known escapes but the architectural model remains fragile. Any Saudi institution still depending on vm2 in production must treat the library itself as end-of-life and migrate, not merely upgrade. Attackers monitoring npm's dependency graph already know which financial platforms still ship vm2 — exploitation against exposed JSON-RPC endpoints, webhook receivers, and BPM rule engines is trivial once an authenticated user can supply a JavaScript expression.

Impact on SAMA-regulated financial institutions

Under SAMA CSCC 3.3.14 (Application Security) and 3.3.15 (Cyber Security Event Management), regulated entities must maintain a verified inventory of third-party libraries, perform continuous vulnerability assessment, and remediate critical issues within defined SLAs. A vm2 RCE on a payment gateway or open-banking microservice would also trigger NCA ECC-1:2018 control 2-10 (Application Security) and could constitute a reportable incident under the PDPL if customer data is exposed. PCI-DSS 4.0 requirement 6.3.3 on patching critical vulnerabilities within one month adds further pressure for cardholder-data environments.

Practical remediation steps

1. Run an SBOM scan across all Node.js services using npm ls vm2, Snyk, Trivy, or Dependency-Track to identify direct and transitive dependencies on vm2.
2. Treat vm2 as deprecated. Migrate sandboxed-execution use cases to isolated-vm, QuickJS, V8 isolates via Cloudflare Workers, or dedicated micro-VMs (Firecracker, gVisor) depending on threat model.
3. For services that cannot be migrated this sprint, pin vm2 to 3.11.2 and place untrusted-code endpoints behind WAF rules that block obvious escape primitives (__lookupGetter__, Promise[Symbol.species], child_process string literals).
4. Hunt for post-exploitation indicators: unusual node processes spawning shell, outbound connections from banking microservices to non-allow-listed IPs, and modifications to /tmp or container filesystems.
5. Update SAMA CSCC evidence pack: document the vulnerability, affected assets, remediation timeline, and compensating controls — auditors are now actively testing third-party library hygiene.
6. Add vm2 and its successors to the cyber-procurement deny-list for new vendor onboarding and PoCs until the GRC team approves a replacement.

Conclusion

The vm2 saga is a textbook case of a security control becoming a security liability — and a clear signal that Saudi financial institutions need continuous SBOM visibility, not annual snapshots. The window between disclosure and exploitation has shrunk to days; SAMA CSCC compliance is now operational, not documentary.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment, including a Node.js / open-source dependency risk review.