💻 AppSec

vm2 Node.js Sandbox Escape CVE-2026-26956 — 1.3 Million Weekly Downloads, PoC Published

A critical sandbox escape vulnerability in the vm2 Node.js sandboxing library allows a malicious script to break out of the sandbox and execute arbitrary code in the host Node.js process. CVE-2026-26956 affects all vm2 versions prior to 3.9.22 and is present in any application using vm2 to safely execute untrusted code — including serverless platforms, coding challenge sites, CI/CD systems, and plugin architectures. A PoC is publicly available.

3 min read
#nodejs#vm2#sandbox-escape#cve#javascript#supply-chain#serverless#code-execution

A critical sandbox escape vulnerability in vm2 — one of the most widely used Node.js sandboxing libraries — allows arbitrary code execution in the host process. CVE-2026-26956, patched in vm2 3.9.22, affects the library’s WebAssembly exception handling pathway and has been given a CVSS score of 9.8. A public proof-of-concept has been released.

vm2 is downloaded approximately 1.3 million times per week from npm and is a dependency of numerous applications that need to execute untrusted JavaScript in an isolated environment — ranging from online coding challenge platforms to plugin architectures in CI/CD tools, serverless execution environments, and development tooling.

Vulnerability Details

The escape takes advantage of how vm2 handles exceptions thrown from WebAssembly (Wasm) code. When a Wasm module throws a V8-level TypeError, vm2’s exception handling pathway incorrectly propagates the error across the sandbox boundary. A carefully crafted Wasm module can leverage this exception propagation to obtain a reference to the host process’s global object — from which point the full Node.js API is accessible.

Once the sandbox boundary is crossed, an attacker can:

  • Access the host filesystem (require('fs'))
  • Execute child processes (require('child_process').exec(...))
  • Make outbound network connections
  • Access process environment variables including secrets, tokens, and credentials

The vulnerability requires the attacker to control the JavaScript code being executed inside the vm2 sandbox — the precise scenario vm2 is deployed to handle safely.

Who Is Affected

Any application that:

  1. Uses vm2 to execute user-supplied or untrusted JavaScript
  2. Runs on a version prior to 3.9.22

Common deployment patterns at risk:

  • Online coding platforms and sandboxes: Sites that execute user-submitted code (competitive programming, coding interview platforms, educational sandboxes) are the most directly exposed
  • Plugin systems: Applications that allow users to write JavaScript plugins executed in a vm2 sandbox — Figma-style plugin ecosystems, CI/CD workflow scripting, no-code/low-code platforms with custom logic
  • CI/CD systems: Pipeline configuration tools that evaluate untrusted repository scripts
  • Lambda/serverless execution environments: Platforms that use vm2 to isolate tenant functions

Remediation

Update vm2 to 3.9.22 immediately via:

npm install vm2@3.9.22

For applications where vm2 is a transitive dependency, run npm ls vm2 to identify which packages in your dependency tree pull in the vulnerable version, then update accordingly.

Note on vm2’s maintenance status: vm2 has historically had a pattern of sandbox escape vulnerabilities — this is the seventh significant sandbox escape disclosed in the library since 2018. The maintainers have acknowledged that vm2’s architecture makes truly secure sandboxing in Node.js difficult to guarantee. For use cases where security is critical, evaluate moving to alternatives such as:

  • Deno for JavaScript/TypeScript execution with a capability-based security model
  • Node.js’s built-in vm.runInContext with --experimental-vm-modules and Worker Threads isolation
  • Process-level isolation using sandboxed child processes with restricted capabilities

The history of vm2 escape vulnerabilities suggests that patching the current issue, while necessary, does not address the underlying architecture. Long-term architectural changes towards process isolation or capability-based runtimes provide more durable security guarantees for untrusted code execution.

Share this article