CVE-2026-26956: Critical vm2 Sandbox Escape via WebAssembly Hits 1.3M-Download Node.js Library

CVE-2026-26956 (CVSS v3.1: 9.8 — Critical) is a sandbox escape vulnerability in vm2, a Node.js sandboxing library downloaded over 1.3 million times per week on npm (the Node.js package registry). The flaw allows an attacker whose code is executing within a vm2 sandbox to escape the sandbox and execute arbitrary commands on the host system by exploiting WebAssembly exception handling introduced in Node.js 25. CVE-2026-26956 is the latest in a series of more than 20 known sandbox breakouts in vm2's history. Patched versions 3.10.5 and 3.11.2 are available and should be applied immediately.

CVE-2026-26956: Technical Details

vm2 (available as the vm2 npm package) is a widely used Node.js library that claims to provide a sandboxed environment for running untrusted JavaScript code — isolating guest code from the host Node.js process and its capabilities. The library is used by platforms that need to execute user-provided scripts in a constrained environment: API gateways, testing frameworks, online coding environments, and content management systems with scripting capabilities.

CVE-2026-26956 exploits WebAssembly exception handling (a relatively new JavaScript/WebAssembly feature that allows WebAssembly modules to raise and catch typed exceptions that can cross the JavaScript/WebAssembly boundary) to defeat vm2's JavaScript-level isolation.

The attack mechanism works as follows:

• Triggering a host-side TypeError. The attacker crafts a specially formed Symbol-to-string coercion — a JavaScript operation where the runtime converts a Symbol type to a string representation. Under specific conditions in Node.js 25 with WebAssembly JSTag support enabled, this coercion triggers a TypeError (a type mismatch error) that is generated on the host side of the vm2 isolation boundary.

• Sanitization bypass. vm2 relies on JavaScript Proxy objects (a feature that intercepts and rewrites property accesses and function calls on objects) to prevent guest code from accessing host-side objects. However, when the TypeError is raised via the WebAssembly exception pathway, it crosses back into the sandbox without being sanitized by vm2's Proxy-based interception layer.

• Access to the process object. The unsanitized error leaks a reference to the host-side process object — the Node.js global object that provides access to the running process's environment, file system, and the ability to spawn child processes.

• Arbitrary code execution. With access to process, the attacker can call process.binding('spawn_sync') or similar to execute arbitrary operating system commands on the host, escaping the sandbox entirely.

The vulnerability is classified as CWE-693: Protection Mechanism Failure — a broad classification covering vulnerabilities where a security control is present but can be bypassed.

CVE-2026-26956 affects environments running Node.js 25.6.1 or later with WebAssembly exception handling (JSTag support) enabled. Environments on Node.js 24 or earlier are not affected by this specific bypass.

Related Vulnerability: CVE-2026-22709

CVE-2026-22709 (also CVSS 9.8 — Critical), disclosed in January 2026, is a separate vm2 sandbox escape affecting all versions up to and including 3.10.1. It exploits improper sanitization of Promise callbacks (asynchronous operation handlers in JavaScript): while localPromise.prototype.then callbacks are sanitized by vm2, globalPromise.prototype.then callbacks returned by async functions are not, allowing access to the host's Function constructor and arbitrary code execution.

CVE-2026-22709 was patched in vm2 3.10.2. If your environment is running vm2 3.10.1 or earlier, you are vulnerable to both CVE-2026-22709 and CVE-2026-26956 and must patch to 3.10.5 or 3.11.2 to address both.

Exploitation Status and Supply Chain Risk

Proof-of-Concept (PoC — working exploit code that demonstrates the vulnerability, enabling others to reproduce or weaponize it) code is available for CVE-2026-26956. No confirmed cases of in-the-wild exploitation targeting the May 2026 vulnerability have been reported as of this writing. However, vm2's profile — 1.3 million weekly downloads, 885+ direct npm dependents — makes it an exceptionally high-value supply chain target.

Supply chain attacks (compromising a widely used library to reach its downstream users) have become a dominant attack pattern in the software ecosystem. A threat actor exploiting CVE-2026-26956 in a platform that uses vm2 to run user-provided scripts could achieve server-side RCE (Remote Code Execution — running arbitrary commands on the server) against any organization using that platform. This extends the blast radius of the vulnerability far beyond direct vm2 users.

vm2 has maintained a security advisory history of over 20 known sandbox escapes across its lifetime, including:

• CVE-2023-32314
• CVE-2023-30547
• CVE-2023-29017
• CVE-2022-36067

The library was deprecated from July 2023 to October 2025 — during which time no security patches were issued — before returning to active maintenance. This history reflects a fundamental architectural limitation: vm2 achieves sandboxing through JavaScript-level Proxy interception, a technique that the JavaScript runtime itself was not designed to make tamper-proof. Each new JavaScript or WebAssembly engine feature introduces potential new pathways around Proxy-based isolation.

Who Is Affected

Vulnerable versions:

• vm2 3.10.4 and earlier (CVE-2026-26956, requires Node.js 25+)
• vm2 3.10.1 and earlier (also CVE-2026-22709)

Not affected:

• vm2 3.10.5, 3.11.2, and later
• Environments running Node.js 24 or earlier (CVE-2026-26956 specific; CVE-2026-22709 affects all Node.js versions)

Applications at elevated risk include:

• Online code execution platforms that run user-submitted JavaScript
• API gateways using vm2 to execute customer-defined transformation scripts
• Testing frameworks that execute untrusted test code in vm2 sandboxes
• CMS platforms with scripting capabilities backed by vm2
• Any SaaS application where users can submit code that is executed server-side

What You Should Do Right Now

• Upgrade vm2 to 3.10.5 or 3.11.2 immediately. This patches both CVE-2026-26956 and CVE-2026-22709. Update your package.json dependency and run npm install:

npm install vm2@3.10.5
# or
npm install vm2@3.11.2

# Verify installed version
npm list vm2

• Audit transitive dependencies. vm2 may be a transitive dependency (required by a package you use, not directly by your code). Run a full dependency audit to identify all paths:

npm audit
npm ls vm2

• Consider migrating away from vm2 entirely. vm2's architectural limitations mean that new bypass techniques will likely continue to emerge. More robust alternatives include:
• isolated-vm — uses V8 isolates (separate JavaScript engine instances with true memory isolation) rather than Proxy interception
• Native Node.js Worker Threads (built-in worker_threads module) with --disallow-code-generation-from-strings for basic isolation
• Deno — a security-first JavaScript runtime with permissions-based isolation built into the design
• Container-level isolation — run untrusted code in separate containers (Docker, gVisor, Firecracker) with no shared process space

• If you cannot immediately upgrade, restrict what data and modules are accessible to code executing in vm2 sandbox contexts. Minimize the attack surface by not passing sensitive objects into sandbox scope.

• Assess downstream dependencies. If your organization develops libraries or platforms that others depend on, check whether vm2 is in your dependency tree and communicate patch requirements to your users.

Background: Understanding the Risk

JavaScript sandboxing is an inherently difficult problem because the JavaScript engine (V8 in Node.js) was designed for performance and flexibility, not for hard security boundaries between execution contexts. The same Proxy and Reflect APIs that vm2 uses to intercept property accesses were designed to support legitimate patterns like metaprogramming and transparent caching — not to enforce security isolation against adversarial code.

The Endor Labs research team (Peyton Kennedy and Cris Staicu) characterized vm2's fundamental design challenge: "every new JavaScript engine feature is a potential new attack surface." WebAssembly exception handling, added to Node.js 25, introduced precisely the kind of new pathway that allows bypass of existing Proxy-based protections.

For organizations that genuinely need to execute untrusted code at the Node.js layer, the security community consensus is moving toward process-level or VM-level isolation rather than in-process JavaScript sandboxing. Isolated-vm's use of V8 Isolates — which are separate JavaScript engine instances with true memory isolation rather than Proxy interception — represents a significantly stronger guarantee than vm2's approach.

The vm2 deprecation from 2023 to 2025 created additional supply chain risk: many applications that depended on vm2 during that period received no security patches for two years, and the library's return to active maintenance has not resolved its underlying architectural limitations.

Conclusion

CVE-2026-26956 is the latest in a two-decade pattern of sandbox escapes in vm2 — a library whose Proxy-based isolation approach is fundamentally ill-suited to adversarial code execution. Any application running vm2 on Node.js 25+ must patch to 3.10.5 or 3.11.2 now, and any engineering team currently depending on vm2 for security isolation should begin evaluating migration to isolated-vm or container-based sandboxing before the next bypass is disclosed.