CVE-2026-26956

Name of the Vulnerable Software and Affected Versions vm2 version 3.10.4

Description A critical flaw in vm2, an open-source sandbox for Node.js, allows attackers to escape the restricted container and execute arbitrary code on the host system. The issue occurs when attacker-controlled code is passed to the VM.run() function. By manipulating WebAssembly exception handling—specifically using the try table instruction combined with a JSTag catch handler—attackers can bypass JavaScript-level security mechanisms. This allows them to intercept a host-realm TypeError (triggered by Symbol-to-string coercion) at the V8 engine's C++ level, which is not sanitized by vm2. The attacker can then use the error object's constructor chain to obtain the host process object and execute system commands. This vulnerability specifically affects environments using Node.js 25 (confirmed on v25.6.1 on x64 Linux) where WebAssembly exception handling and JSTag support are enabled. Real-world exploitation has been reported, enabling privilege escalation and lateral movement across Node.js environments.

Recommendations Update vm2 to version 3.10.5 or later. As a temporary workaround, consider restricting the use of the VM.run() function with untrusted input.