vm2 sandbox escape RCE (CVE-2026-26332)

Patch now - CVE-2026-26332 is a critical sandbox escape vulnerability in vm2 prior to version 3.11.0 that lets attackers break out of the Node.js sandbox and execute arbitrary code on the host system. Patched in version 3.11.0 - update all deployments immediately.

Overview

CVE-2026-26332 is a sandbox escape vulnerability in vm2, a widely used JavaScript sandbox library for Node.js that isolates untrusted code. The flaw exists in the handling of the SuppressedError object in versions prior to 3.11.0. An attacker who can execute code inside the vm2 sandbox — for example, through user-submitted scripts or evaluated expressions — can exploit this issue to break out of the sandbox and run arbitrary system commands on the host machine.

The vulnerability carries a CVSS score of 9.8 (Critical) because it requires no authentication, no user interaction, and can be triggered remotely over a network with low attack complexity. Any application that uses vm2 to run untrusted JavaScript code in versions before 3.11.0 is at risk of full host compromise.

This is not currently known to be actively exploited, but sandbox escape vulnerabilities in vm2 have a history of being weaponized quickly once discovered. Organizations should treat this as an urgent patching priority.

Impact

A successful exploit of CVE-2026-26332 allows an attacker to escape the vm2 sandbox and execute arbitrary commands on the host operating system with the privileges of the Node.js process. This can lead to complete system takeover, data exfiltration, installation of backdoors, or lateral movement within the network. Applications affected include cloud-based code execution services, developer tools, testing frameworks, and any platform that evaluates user-supplied JavaScript in a vm2 sandbox.

Remediation

The only complete fix is to upgrade vm2 to version 3.11.0 or later:

• Update your dependency: npm install vm2@3.11.0
• Verify all deployments use the patched version.

If immediate patching is not possible, consider these interim mitigations:

• Disable any feature that allows arbitrary code execution inside the vm2 sandbox.
• Use an alternative sandboxing solution such as isolated-vm or native Node.js worker_threads with careful IPC restrictions.
• Restrict network access from the Node.js process to limit blast radius in case of compromise.

Security Insight

This is the latest in a series of sandbox escape vulnerabilities discovered in vm2, reflecting a fundamental challenge in JavaScript sandbox design — the runtime’s flexibility and dynamic nature makes it extremely difficult to fully isolate untrusted code. Past incidents like CVE-2023-29199 and CVE-2022-36067 followed a similar pattern, where exceptions or error objects became the escape vector. Organizations that rely on vm2 for security-critical isolation should consider this a signal to evaluate whether a sandbox designed around whitelisting and API restriction, rather than code interception, might offer a more sustainable security posture.

For the latest cybersecurity news and data breach reports, visit our security news and breach reports pages.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs