Node.js 25: Escapes from JavaScript sandbox vm2 conceivable
The vm2 sandbox component of the open-source JavaScript runtime environment Node.js is vulnerable with certain settings.
(Image: Artur Szczybylo/Shutterstock.com)
If the prerequisites are met, attackers can break out of the vm2 sandbox on a Node.js instance and execute malicious code. A proof-of-concept exploit is public, but so far there are no reports of attackers exploiting the vulnerability. The developers have since released a security update.
Details of the security vulnerability
A warning message on GitHub indicates that the vulnerability (CVE-2026-26956) is classified as “critical” in terms of threat level. The developers assure that only Node.js 25 is threatened by this. They state that they have successfully reproduced the vulnerability in v25.6.1. Specifically, version 3.10.4 of vm2 is vulnerable. The vulnerability has been fixed in version 3.10.5. However, instances are only attackable if WebAssembly exception handling and JSTag support are active.
Videos by heise
If this is the case, attackers can trigger errors with prepared requests, thereby bypassing the vm2 security filters. Subsequently, they can execute their code on the host system. Due to the classification, it can be assumed that systems will subsequently be considered fully compromised. The developers provide further details on the vulnerability and a possible attack scenario in the warning message.
(des)
