(socket.dev) Critical Sandbox Escape Vulnerability in vm2 JavaScript Library Exposes Node.js Applications to Arbitrary Command Execution
-
(socket.dev) Critical Sandbox Escape Vulnerability in vm2 JavaScript Library Exposes Node.js Applications to Arbitrary Command Execution
Critical sandbox escape in vm2 (CVE-2026-26956, GHSA-ffh4-j6h5-pg66) enables arbitrary command execution via WebAssembly.JSTag in Node.js applications. Affects vm2 0.2.2–3.10.4 on runtimes exposing WebAssembly.JSTag.
In brief - A critical flaw in the vm2 JavaScript sandboxing library allows attackers to bypass sandbox restrictions, access the host Node.js process, and execute arbitrary OS commands. The vulnerability impacts 66 versions of vm2 and requires immediate patching or mitigation via Certified Patches.
Technically - The vulnerability stems from insufficient isolation of WebAssembly.JSTag in vm2’s sandbox, allowing malicious JavaScript passed to VM.run() to escape and interact with the host process. Fixed in vm2 3.10.5 by removing WebAssembly.JSTag from the sandbox. Socket’s Certified Patches offer a targeted fix for teams unable to upgrade immediately. Review sandboxed workloads for least-privilege access and stronger isolation.
Source: https://socket.dev/blog/free-certified-patches-for-critical-vm2-sandbox-escape
-
R relay@relay.infosec.exchange shared this topic
