# Critical vm2 sandbox bug lets attackers execute code on hosts _Thursday, June 25, 2026 at 11:42 PM EDT · Cybersecurity · Latest · Tier 2 — Notable_ ![Critical vm2 sandbox bug lets attackers execute code on hosts — Primary](https://www.bleepstatic.com/content/hl-images/2026/05/06/0_sandbox.jpg) A critical vulnerability in the vm2 Node.js sandboxing library allows escaping the sandbox and executing arbitrary code on the host system. The security issue is tracked as CVE-2026-26956 and impacts vm2 version 3.10.4, although earlier releases may also be vulnerable. Proof of concept exploit code has been published. The maintainer says the issue only impacts environments with Node.js 25, confirmed on version 25.6.1, that have enabled WebAssembly exception handling and JSTag support. vm2 is an open source library used to run untrusted JavaScript code inside a restricted sandbox. It is commonly employed by online coding platforms, automation tools and SaaS apps executing user supplied scripts. The library attempts to isolate sandboxed code from the host and block access to sensitive APIs like process and the filesystem. It has more than 1.3 million weekly downloads on npm. The flaw stems from erroneous handling of exceptions crossing between the sandbox and the host. vm2 normally relies on JavaScript level protections against host based errors and bridge Proxies wrapping cross context objects. WebAssembly exception handling can intercept JavaScript errors at a lower level in Google's V8 engine, bypassing the defenses. Attackers can trigger a specially crafted TypeError using symbol to string conversion to leak a host side error object into the sandbox without sanitization. The leaked object allows attackers to abuse its constructor chain to access Node.js internals like the process object, enabling arbitrary command execution. The advisory includes a proof of concept for remote code execution. Users should upgrade to version 3.10.5 or later, with the latest at 3.11.2. At the beginning of the year vm2 faced another critical flaw tracked as CVE-2026-22709. Earlier issues include CVE-2023-30547, CVE-2023-29017 and CVE-2022-36067. ## Sources - [BleepingComputer](https://www.bleepingcomputer.com/news/security/critical-vm2-sandbox-bug-lets-attackers-execute-code-on-hosts/) --- Canonical: https://techandbusiness.org/newswire/dwShKCC5FBZlnWiQ1I4byS Retrieved: 2026-06-26T07:58:13.116Z Publisher: Tech & Business (techandbusiness.org)