Full Report
A critical vulnerability in the popular Node.js sandboxing library vm2 allows escaping the sandbox and executing arbitrary code on the host system. [...]
Analysis Summary
# Vulnerability: Critical vm2 Sandbox Escape via WebAssembly Exception Handling
## CVE Details
- **CVE ID:** CVE-2026-26956
- **CVSS Score:** 10.0 (Critical - *estimated based on RCE and history of similar vm2 flaws*)
- **CWE:** CWE-693: Protection Mechanism Failure / CWE-265: Privilege Segregation Improperly Implemented
## Affected Systems
- **Products:** vm2 (Node.js sandboxing library)
- **Versions:** Impact confirmed on version 3.10.4; earlier releases are likely vulnerable.
- **Configurations:** Systems running **Node.js 25** (specifically confirmed on 25.6.1) with WebAssembly exception handling and JSTag support enabled.
## Vulnerability Description
The vulnerability exists due to a mismatch between vm2’s JavaScript-level security wrappers and the low-level exception handling provided by the V8 engine for WebAssembly.
vm2 typically relies on JavaScript Proxies to sanitize objects crossing the sandbox boundary. However, WebAssembly exception handling can intercept errors at a level lower than vm2's protections. By triggering a specific `TypeError` through a Symbol-to-string conversion, an attacker can cause a host-side error object to bypass sanitization. This "leaked" host object provides access to the host's constructor chain, allowing the attacker to reach the Node.js `process` object and execute arbitrary commands on the underlying host system.
## Exploitation
- **Status:** PoC available (published by the maintainer).
- **Complexity:** Low (Scripted PoC simplifies exploitation).
- **Attack Vector:** Network (Applicable to any service accepting untrusted user-supplied JavaScript).
## Impact
- **Confidentiality:** Total (Full access to host files and environment).
- **Integrity:** Total (Ability to modify host system and data).
- **Availability:** Total (Potential for system-wide denial of service or ransomware).
## Remediation
### Patches
- **Recommended:** Upgrade to vm2 version **3.10.5** or higher.
- **Latest:** Version **3.11.2** addresses this and potentially subsequent security improvements.
### Workarounds
- No specific software workarounds are provided; however, moving to a different isolation strategy (such as Docker containers or hardware-level virtualization) is a general best practice for executing untrusted code given vm2's history of escapes.
- Disable WebAssembly exception handling if not strictly required by the application.
## Detection
- **Indicators of Compromise:** Unusual child processes spawned by the Node.js application (e.g., `sh`, `bash`, `cmd.exe`).
- **Detection methods:** Review server logs for `TypeError` logs involving `Symbol` conversions or WebAssembly errors. Use SCA (Software Composition Analysis) tools to identify vulnerable versions of the `vm2` npm package.
## References
- Maintainer Advisory: hxxps[://]github[.]com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66
- Vm2 Releases: hxxps[://]github[.]com/patriksimek/vm2/releases/tag/v3.10.5
- Original Report: hxxps[://]www[.]bleepingcomputer[.]com/news/security/critical-vm2-sandbox-bug-lets-attackers-execute-code-on-hosts/