vm2 Sandbox Escape Vulnerability Allows Attackers to Execute Code (CVE-2026-26956)

Security researchers have identified a critical severity vulnerability impacting the popular Node.js sandboxing library vm2. Tracked as CVE-2026-26956, successful exploitation of the vulnerability allows an attacker to escape the sandbox and execute arbitrary code on the host system. Proof-of-concept code for the vulnerability is publicly available.

vm2 is a widely used JavaScript sandbox that can run untrusted code with allowed Node’s built-in modules. Sandboxes are used in modern applications for a variety of functions.

vm2 has over 16 million monthly downloads. The product is used by integrated development environments (IDEs) and code editors, function-as-a-service (FaaS) solutions, pen-testing frameworks, security tools, and various JavaScript-related products. As a result, the vm2 vulnerability can have severe consequences for apps that use it, given the nature of sandbox use cases.

Vulnerability Details

The vulnerability only affects environments with Node.js versions that support WebAssembly exception handling and JSTag (tested on v25.6.1). The vulnerability originates in the library’s erroneous handling of exceptions that cross between the sandboxed environment and the host.

The advisory describes that the vm2’s sandbox security relies on two JavaScript-level mechanisms:

1. A code transformer that injects handleException() into JS catch clauses to wrap host-realm errors.
2. Bridge Proxies that wrap cross-context objects. Both operate entirely within JavaScript.

WebAssembly’s try_table instruction, using a JSTag catch handler, intercepts JavaScript exceptions at V8’s C++ level—before they reach JavaScript execution. When an imported JS function throws a TypeError, triggered by Symbol-to-string coercion during stack formatting, the WASM try_table captures it as an opaque externref and returns it as a regular function value.

This WASM exception-handling-to-return-value pathway bypasses vm2’s sandboxing entirely. The unsanitized host-realm TypeError reaches attacker-controlled code intact. From there, the error’s constructor chain (hostError.constructor.constructor) resolves to a Function constructor that exposes the host process object, enabling reflection beyond the vm2 context and ultimately achieving arbitrary code execution.

Affected versions

The vulnerability affects the vm2 NPM package version 3.10.4.

Mitigation

Users must upgrade to the vm2 NPM package version 3.10.5 to patch the vulnerability.

For more information, please refer to the GitHub Security Advisory.

Qualys Detection

Qualys customers can scan their devices with QID 5011814 to detect vulnerable assets.

QID 5011814 is currently available via the SwCA capabilities for Container Security.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References: 
https://github.com/advisories/GHSA-ffh4-j6h5-pg66