"CVE-2026-26956 stems from the library's erroneous handling of exceptions crossing between the sandboxed environment and the host. The advisory explains that vm2 normally relies on JavaScript-level protections that safeguard against host-based errors and bridge Proxies that wrap cross-context objects, both running entirely within JavaScript."
"WebAssembly exception handling can intercept JavaScript errors at a lower level inside Google's V8 engine, bypassing vm2's JavaScript-based security defenses. By triggering a specially crafted TypeError using Symbol-to-string conversion, attackers can cause a host-side error object to leak back into the sandbox without being sanitized by vm2."
A vulnerability in the Node.js library vm2, tracked as CVE-2026-26956, allows attackers to escape the sandbox and execute arbitrary code. This issue affects vm2 version 3.10.4 and potentially earlier versions, particularly in environments with Node.js 25 and enabled WebAssembly exception handling. The vulnerability arises from improper handling of exceptions between the sandbox and host, allowing attackers to exploit a TypeError to leak host objects into the sandbox, bypassing security measures and gaining access to sensitive Node.js internals.
Read at BleepingComputer
Unable to calculate read time
Collection
[
|
...
]