Critical vm2 sandbox flaw enables host code execution
▼ Summary
– A critical vulnerability (CVE-2026-26956) in the Node.js sandboxing library vm2 allows sandbox escape and arbitrary code execution on the host system, with a published proof-of-concept exploit.
– The flaw impacts vm2 version 3.10.4 and potentially earlier releases, but only on Node.js 25 with WebAssembly exception handling and JSTag support enabled.
– The vulnerability results from vm2 incorrectly handling exceptions that cross between the sandbox and host; WebAssembly can intercept JavaScript errors at a lower level in V8, bypassing vm2’s JavaScript-based defenses.
– Attackers can trigger a crafted TypeError to leak a host-side error object into the sandbox, then abuse its constructor chain to access Node.js internals and execute arbitrary commands.
– Users should upgrade to vm2 version 3.10.5 or later (latest is 3.11.2), and the library has a history of similar sandbox escape flaws, including CVE-2026-22709, CVE-2023-30547, CVE-2023-29017, and CVE-2022-36067.
A severe security flaw has been uncovered in vm2, a widely used Node.js sandboxing library, that could allow attackers to break free from the sandbox and run arbitrary code on the host system. This vulnerability, designated CVE-2026-26956, has been confirmed in vm2 version 3.10.4, though earlier versions may also be at risk. Proof-of-concept (PoC) exploit code has already been released.
According to the maintainer’s advisory, the issue specifically arises in environments running Node.js 25 (confirmed on version 25.6.1) when WebAssembly exception handling and JSTag support are enabled. vm2 is an open-source tool designed to execute untrusted JavaScript code within a restricted environment, commonly used by online coding platforms, automation tools, and SaaS applications that process user-submitted scripts. The library typically isolates sandboxed code from the host system, blocking access to sensitive Node.js APIs such as `process` and the filesystem.
The library enjoys massive adoption, with over 1.3 million weekly downloads on npm (Node Package Manager). CVE-2026-26956 originates from vm2’s flawed handling of exceptions that cross between the sandboxed environment and the host. Normally, vm2 relies on JavaScript-level protections and bridge Proxies that wrap cross-context objects, both operating entirely within JavaScript. However, WebAssembly exception handling can intercept JavaScript errors at a lower level inside Google’s V8 engine, effectively bypassing vm2’s JavaScript-based defenses.
By triggering a specially crafted TypeError through Symbol-to-string conversion, attackers can cause a host-side error object to leak back into the sandbox without being sanitized. Since the leaked object originates from the host, attackers can exploit its constructor chain to regain access to Node.js internals, such as the `process` object. This ultimately enables arbitrary command execution on the host system. The maintainer’s advisory includes a PoC exploit demonstrating remote code execution.
Users are strongly urged to upgrade to vm2 version 3.10.5 or later (the latest is 3.11.2) to mitigate the risk. This is not the first time vm2 has faced such a threat. Earlier this year, another critical sandbox escape flaw, CVE-2026-22709, also allowed arbitrary code execution on the host. Additional past vulnerabilities include CVE-2023-30547, CVE-2023-29017, and CVE-2022-36067, underscoring the persistent challenge of securely isolating untrusted code within JavaScript sandbox environments.
(Source: BleepingComputer)