GoKawiilA critical vulnerability in the popular Node.js sandboxing library vm2 allows escaping the sandbox and executing arbitrary code on the host system.
The security issue is tracked as CVE-2026-26956 and has been confirmed to impact vm2 version 3.10.4, although earlier releases may also be vulnerable. Proof-of-concept (PoC) exploit code has been published.
In the security advisory, the maintainer says that the issue only impacts environments with Node.js 25 (confirmed on Node.js 25.6.1) that have enabled WebAssembly exception handling and JSTag support.
vm2 is an open-source Node.js library used to run untrusted JavaScript code inside a restricted sandbox environment. It is commonly employed by online coding platforms, automation tools, and SaaS apps that execute user-supplied scripts.
The library attempts to isolate sandboxed code from the host system and block access to sensitive Node.js APIs like process and the filesystem.
vm2 is widely used, with more than 1.3 million weekly downloads on the npm (Node Package Manager), the default command-line package manager for Node.js.
CVE-2026-26956 stems from the library’s erroneous handling of exceptions crossing between the sandboxed environment and the host.
The advisory explains that vm2 normally relies on JavaScript-level protections that safeguard against host-based errors and bridge Proxies that wrap cross-context objects, both running entirely within JavaScript.
However, WebAssembly exception handling can intercept JavaScript errors at a lower level inside Google’s V8 engine, bypassing vm2’s JavaScript-based security defenses.
By triggering a specially crafted TypeError using Symbol-to-string conversion, attackers can cause a host-side error object to leak back into the sandbox without being sanitized by vm2.
... continue reading