Introduction
A sandbox escape in the vm2 Node.js package allows an attacker to break out of the isolated execution environment and run arbitrary commands on the host system, earning a CVSS 3.1 base score of 9.8. For any application relying on vm2 to safely execute untrusted JavaScript, this vulnerability completely undermines the core security guarantee the library is designed to provide.
vm2 is an open source sandbox and virtual machine module for Node.js, widely used to execute untrusted code in an isolated context. It is a notable package in the Node.js ecosystem, frequently adopted in platforms that need to run user supplied scripts, plugins, or expressions without granting access to the host environment. Its presence in the National Vulnerability Database and the volume of security advisories it has accumulated reflect both its adoption and the difficulty of maintaining robust sandboxing in JavaScript.
Technical Information
The root cause of CVE-2026-26332 lies in how vm2 handles the SuppressedError object. SuppressedError is a relatively newer JavaScript error type associated with the Explicit Resource Management proposal (the using keyword and DisposableStack). The vm2 sandbox failed to properly sanitize or proxy this error type, leaving a path through which internal references to host realm constructors could be accessed from within sandboxed code.
The attack flow, as described in the official GitHub security advisory (GHSA-55hx-c926-fr95), proceeds as follows:
- The attacker creates a
DisposableStackinside the sandbox and manipulates it to trigger aSuppressedError. - When the
SuppressedErroris caught, the attacker accessese.suppressed.constructor.constructor. Because theSuppressedErrorobject was not properly wrapped by the sandbox's proxy layer, this chain resolves to the host realm'sFunctionconstructor rather than the sandboxed one. - With a reference to the host's
Functionobject, the attacker can construct and invoke arbitrary functions that execute outside the sandbox boundary. - The attacker uses this capability to require the
node:child_processmodule and execute arbitrary system commands on the host, such asecho pwned.
The advisory confirms this exploit was demonstrated against Node.js version 24.13.0 running vm2 version 3.10.4.
The National Vulnerability Database maps this vulnerability to two CWE classifications:
| CWE ID | Vulnerability Type |
|---|---|
| CWE 94 | Improper Control of Generation of Code (Code Injection) |
| CWE 693 | Protection Mechanism Failure |
CWE 94 captures the fact that the attacker can inject and execute arbitrary code. CWE 693 captures the broader failure: the sandbox protection mechanism itself was bypassed. Together, these classifications describe a complete breakdown of the isolation boundary that vm2 is supposed to enforce.
The CVSS 3.1 vector reflects the severity: the attack is network accessible, requires low complexity, needs no privileges or user interaction, and results in complete compromise of confidentiality, integrity, and availability on the host.
Affected Systems and Versions
| Component | Affected Versions | Fixed Version |
|---|---|---|
| vm2 (npm package) | All versions less than or equal to 3.10.4 | 3.11.0 |
Any Node.js application that includes vm2 as a dependency at version 3.10.4 or earlier is vulnerable. The exploit was specifically confirmed on Node.js 24.13.0 with vm2 3.10.4, but the advisory indicates all prior versions are affected.
Organizations should audit their dependency trees (using tools such as npm ls vm2 or yarn why vm2) to identify both direct and transitive dependencies on vulnerable versions.
Vendor Security History
The vm2 project has a documented history of sandbox escape vulnerabilities. The version 3.11.0 release that patches CVE-2026-26332 also addresses at least seven other security advisories, the majority of which are Remote Code Execution flaws:
| Advisory ID | Description | Impact |
|---|---|---|
| GHSA grj5 jjm8 h35p | Array species self return sandbox escape | Remote Code Execution |
| GHSA v37h 5mfm c47c | Handler reconstruction via util.inspect leak | Remote Code Execution |
| GHSA qcp4 v2jj fjx8 | Trap method on leaked handler with forged target | Remote Code Execution |
| GHSA 47x8 96vw 5wg6 | Cross realm symbol extraction from host objects | Remote Code Execution |
| GHSA 55hx c926 fr95 | Promise structural leak and SuppressedError sanitisation | Remote Code Execution |
| GHSA vwrp x96c mhwq | Host intrinsic prototype pollution via bridge write traps | Prototype Pollution |
| GHSA 947f 4v7f x2v8 | NodeVM builtin allowlist bypass via host passthrough | Remote Code Execution |
| GHSA hw58 p9xv 2mjh | Promise executor unhandled rejection | Denial of Service |
The volume and severity of these fixes in a single release point to systemic challenges in maintaining the sandbox boundary. Each new JavaScript language feature (such as SuppressedError, DisposableStack, or changes to Proxy behavior) introduces potential new attack surface that the sandbox must account for. Security teams relying on vm2 should factor this track record into their risk assessments and consider whether the library's isolation guarantees are sufficient for their threat model.
