Skip to main content
CybersecurityVulnerability Management

Vm2 Sandbox Flaw Exposes Host Systems to Code Execution Risk

Modern workspace with laptop and coding elements in natural daylight.

CVE-2026-26956 is a critical sandbox-escape vulnerability in the vm2 Node.js library that can let attacker-supplied code break out of the sandbox and run arbitrary commands on the host.

CVE-2026-26956 and the versions it affects

The vulnerability has been confirmed to impact vm2 version 3.10.4, and the maintainer’s advisory warns that earlier releases may also be vulnerable. The advisory makes clear the flaw is conditional: it only affects environments running Node.js 25 (confirmed on Node.js 25.6.1) when WebAssembly exception handling and JSTag support are enabled. Users are advised to upgrade to vm2 version 3.10.5 or later — the advisory notes the latest available is 3.11.2 — to mitigate the risk.

How WebAssembly exception handling undermines vm2’s JavaScript defenses

vm2 attempts to isolate untrusted JavaScript by relying on JavaScript-level protections and bridge Proxies that wrap cross-context objects. Those protections operate entirely within JavaScript and are intended to sanitize errors and prevent host objects from leaking into the sandbox.

CVE-2026-26956 arises because WebAssembly exception handling can capture JavaScript errors at a lower level inside Google’s V8 engine, bypassing vm2’s JavaScript-based defenses. In the advisory, the maintainer explains that a specially crafted TypeError triggered via Symbol-to-string conversion can cause a host-side error object to leak back into the sandbox without being sanitized. Because the leaked object originates on the host side, its constructor chain can be used to recover access to Node.js internals such as the process object.

Proof-of-concept, attack chain, and impact

The maintainer included proof-of-concept exploit code demonstrating remote code execution on the host machine. The attack chain described in the advisory is specific: trigger a TypeError using Symbol-to-string conversion, let WebAssembly exception handling intercept the error below the JavaScript layer, allow a host error object to leak into the sandbox, then abuse that object’s constructor chain to reach Node.js internals and execute arbitrary commands on the host.

Because vm2 is widely used to execute untrusted code — the library has more than 1.3 million weekly downloads on npm — the advisory’s PoC elevates the risk profile: code that appears confined to a sandbox can, under the right runtime conditions, control the underlying system.

What this means for online coding platforms, automation tools, and SaaS apps

vm2 is commonly employed by online coding platforms, automation tools, and SaaS applications to run user-supplied scripts inside a restricted environment. Those operators should treat the advisory as operational: if their deployments run Node.js 25 with WebAssembly exception handling and JSTag enabled, they are in scope for CVE-2026-26956 and should prioritize upgrades to vm2 3.10.5 or later.

Because the PoC demonstrates remote code execution, platforms that allow arbitrary or semi-trusted scripts — code editors, REPLs, CI runners, and automation plug-ins — should audit where vm2 is used, confirm Node.js and vm2 versions, and apply the recommended updates promptly.

Mitigation advice and a pattern of repeated sandbox escapes

The immediate mitigation the maintainer provides is an upgrade: move to vm2 3.10.5 or later (the advisory cites 3.11.2 as the latest). The advisory’s specifics narrow the universe of vulnerable deployments — Node.js 25 with WebAssembly exception handling and JSTag — but the presence of published PoC code means defenders should assume exploitability where those conditions are met.

This is not the first time vm2 has been affected by critical sandbox-escape flaws. Earlier vulnerabilities include CVE-2026-22709 (another critical sandbox escape earlier this year), CVE-2023-30547, CVE-2023-29017, and CVE-2022-36067. Those prior incidents, and the current advisory, underscore the persistent difficulty of securely isolating untrusted JavaScript code when low-level engine features such as WebAssembly exception handling can subvert JavaScript-layer protections.

For operators running vm2 under the relevant Node.js configurations: inventory, confirm, and upgrade now. The published PoC removes ambiguity about feasibility; the remaining question is how many deployments currently meet the runtime conditions described in the advisory and will require urgent remediation.

Original story