CVE-2026-26956

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.10.5

Description A critical sandbox escape exists in the vm2 library, which is used to run untrusted JavaScript code in Node.js applications. This issue allows an attacker to break out of the restricted environment and achieve arbitrary code execution (RCE) in the host Node.js process. The flaw is specifically observed in Node.js version 25 (confirmed on v25.6.1 running on x64 Linux) when WebAssembly exception handling and JSTag support are enabled.

Attackers can exploit this by passing specially crafted code to the VM.run() function. The exploitation involves manipulating WebAssembly exception handling using a try table construct combined with a JSTag catch handler. This mechanism intercepts JavaScript exceptions at the V8 engine's C++ level, bypassing vm2's JavaScript-level security controls and error management. By triggering a TypeError through Symbol-to-string coercion, an attacker can leak a host-realm error object into the sandbox. This object's constructor chain can then be used to access the host process object and execute system commands.

This issue poses a significant risk to multi-tenant environments, plugin execution systems, continuous integration platforms, automation tools, and SaaS applications that execute user-supplied scripts.

Recommendations Update to version 3.10.5 or later. As a temporary workaround, restrict or avoid passing untrusted input to the VM.run() function.