Thirteen severe security holes have been uncovered in the vm2 JavaScript sandbox library, allowing malicious code to break out of its isolation and compromise the host system. These vulnerabilities affect applications that use vm2 to run untrusted scripts, and developers are strongly urged to update to the latest version (3.11.2) immediately. The flaws include two particularly dangerous issues: CVE-2026-26956 and CVE-2026-44007, each enabling full sandbox escape and arbitrary code execution. Below, we break down the key details in a Q&A format.
What is vm2 and what are these 13 vulnerabilities?
vm2 is an open-source Node.js module that creates a sandboxed environment to run untrusted JavaScript code safely. It allows developers to restrict access to the host system's resources. The recently disclosed 13 vulnerabilities are critical security flaws that can break this sandbox, letting attacker-controlled scripts escape and execute arbitrary commands on the underlying server. The most severe issues—CVE-2026-26956 and CVE-2026-44007—both allow full sandbox escape with command execution. The vulnerabilities were reported by researchers at Socket and confirmed by vm2 maintainer Patrik Simek. The entire set of bugs is addressed in vm2 version 3.11.2.
What is CVE-2026-26956 and how does it work?
CVE-2026-26956 is a full sandbox escape vulnerability. An attacker who can inject JavaScript into the VM.run() function can obtain a reference to the host process object and run system commands without any cooperation from the host. This means code that should be confined to the sandbox can directly interact with the operating system. The flaw stems from improper handling of WebAssembly exception handling and JSTag support in specific Node.js versions. Socket researcher Wenxin Jiang described it as a narrow but high-impact issue—its exploitability depends on precise version combinations. When those conditions align, the security boundary fails completely.
What specific conditions are required for CVE-2026-26956 exploitation?
According to the advisory, CVE-2026-26956 has been confirmed only on Node.js version 25.6.1 (and later broader testing found 24.x also affected) that includes WebAssembly exception handling and JSTag support. The highest-risk scenario is an application using vm2 version 3.10.4 on Node.js 25, where user-supplied JavaScript is passed into VM.run(). However, Socket later updated its guidance, stating the vulnerability affects all vm2 versions before 3.10.5 on Node.js runtimes that expose WebAssembly.JSTag, including Node.js 24.x. This means many dependency scanners may have incorrectly marked deployments as unaffected. If your setup matches these conditions, immediate patching is critical.
What is CVE-2026-44007 and how does it differ?
CVE-2026-44007 is an improper access control vulnerability in the vm2 library, specifically in how the nesting:true option interacts with the legacy module resolver. This bug allows a sandbox escape and execution of arbitrary OS commands on the host. Unlike CVE-2026-26956, which depends on WebAssembly features, CVE-2026-44007 is a general logic flaw triggered by enabling sandbox nesting. It was patched in vm2 version 3.11.1. Socket’s Wenxin Jiang emphasized that while both issues deserve urgent attention, the nesting vulnerability may be more widespread because it doesn't require a specific Node.js version. Organizations should audit their vm2 configurations for the nesting option and upgrade immediately.
Which versions of vm2 and Node.js are affected?
The 13 vulnerabilities affect vm2 versions prior to 3.11.2. Specifically:
- CVE-2026-26956: affects all vm2 versions before 3.10.5 on Node.js 24.x and 25.x (with
WebAssembly.JSTag). - CVE-2026-44007: affects vm2 versions before 3.11.1 when using
nesting:true.
package.json and node_modules to confirm you’re on a safe version.
How should developers respond to these vulnerabilities?
Developers using vm2 must take immediate action:
- Upgrade to the latest version:
npm install vm2@3.11.2(or newer). - Review sandbox usage: If you pass user-controlled scripts to
VM.run(), assume any pre-patch deployment could be compromised. Audit logs for anomalous behavior. - Consider alternatives: Socket has issued an unofficial patch for teams that cannot upgrade right away, but the safest long-term approach is to move to a modern sandbox solution like Node.js's built-in
vmmodule with stricter limitations, or use a WebAssembly-based sandbox. - Update dependency scanners: Socket warned that some scanners may incorrectly mark affected deployments as safe, so manual verification of vm2 versions and Node.js runtime is essential.
Did Socket provide additional guidance after initial disclosure?
Yes. One day after the original story, Socket issued an update stating that the scope of CVE-2026-26956 is broader than first reported. Their testing showed the vulnerability affects all vm2 versions before 3.10.5 on Node.js runtimes that expose WebAssembly.JSTag, including the Node.js 24.x series. This means some dependency scanners may incorrectly mark vulnerable deployments as unaffected. Socket has released a temporary patch for teams that cannot immediately upgrade to 3.11.2. The researchers also emphasized that the nesting vulnerability (CVE-2026-44007) might require more urgent auditing for organizations using the nesting:true option. Developers should monitor vm2's GitHub repository for further updates.