CVE-2026-26332 Overview
CVE-2026-26332 is a sandbox escape vulnerability in vm2, an open source virtual machine and sandbox library for Node.js. Versions prior to 3.11.0 mishandle the SuppressedError global introduced by the ECMAScript explicit resource management proposal. Attackers who supply untrusted code to a vm2 sandbox can break the isolation boundary and execute arbitrary code in the host Node.js process. The maintainers patched the issue in version 3.11.0. The flaw is classified under CWE-94: Improper Control of Generation of Code.
Critical Impact
Attackers escape the vm2 sandbox and achieve arbitrary code execution on the host, fully compromising any application that evaluates untrusted code through vm2.
Affected Products
- vm2 versions prior to 3.11.0
- Node.js applications embedding vm2 for untrusted code evaluation
- Server-side platforms using vm2 as an isolation primitive (function-as-a-service runtimes, online code editors, scripting hosts)
Discovery Timeline
- 2026-05-04 - CVE-2026-26332 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-26332
Vulnerability Analysis
vm2 virtualizes a Node.js context and proxies host objects so that sandboxed scripts cannot reach internal Node.js APIs. The library wraps prototypes, intrinsics, and error types to prevent guest code from obtaining a reference to a host-realm object. The vulnerability arises because SuppressedError, a relatively new built-in error constructor, was not included in the set of intrinsics that vm2 sanitizes. When sandboxed code triggers the constructor, the resulting error object retains a prototype chain that crosses the sandbox boundary.
Once guest code obtains a host-realm prototype, it can walk the chain to reach Function, construct arbitrary functions in the host realm, and invoke process, require, or other Node.js APIs. The result is full arbitrary code execution outside the sandbox under the privileges of the Node.js process. The attack does not require authentication or user interaction and is reachable over the network whenever an application accepts untrusted scripts.
Root Cause
The root cause is incomplete coverage of JavaScript intrinsics in the vm2 proxy layer. SuppressedError was added to the language specification after vm2's isolation logic was written, and the constructor was not patched into the sandboxed global. This omission lets guest code obtain an unsandboxed object whose prototype references cross-realm internals. CWE-94 applies because the flaw enables generation and execution of attacker-controlled code in a privileged context.
Attack Vector
Exploitation requires only the ability to submit JavaScript to a vm2 sandbox. An attacker crafts a payload that instantiates SuppressedError, retrieves its constructor or prototype, and uses the leaked reference to obtain process or require. From there the attacker executes shell commands, reads files, opens network sockets, or pivots into the wider environment. Because the issue is reachable from any code path that calls vm.run() on attacker input, exploitation is trivial in deployments that use vm2 to evaluate user-supplied scripts.
No verified public proof-of-concept code is referenced in the advisory. See the GitHub Security Advisory GHSA-55hx-c926-fr95 for vendor technical details.
Detection Methods for CVE-2026-26332
Indicators of Compromise
- Unexpected child processes spawned by the Node.js process hosting vm2, particularly shells (/bin/sh, cmd.exe) or interpreters (python, curl, wget).
- Outbound network connections from the Node.js host to unfamiliar destinations shortly after sandboxed script execution.
- Sandboxed scripts that reference SuppressedError, walk __proto__, constructor, or prototype chains, or attempt to access process, require, or global.
- File reads or writes outside the application's normal working directory by the Node.js process.
Detection Strategies
- Inventory all Node.js applications and identify any dependency on vm2 at versions below 3.11.0 using software composition analysis or npm ls vm2.
- Inspect submitted sandbox scripts for tokens such as SuppressedError, constructor.constructor, or process.mainModule and alert on matches.
- Compare runtime process trees against a baseline so any non-Node child process spawned from the application is flagged.
Monitoring Recommendations
- Enable EDR process-lineage telemetry on hosts running Node.js services that embed vm2.
- Forward Node.js application logs and host process events to a SIEM and correlate sandbox execution with subsequent process creation.
- Apply egress filtering and alert on outbound traffic from sandbox-hosting workloads to non-allowlisted destinations.
How to Mitigate CVE-2026-26332
Immediate Actions Required
- Upgrade vm2 to version 3.11.0 or later in every affected Node.js project and rebuild dependent images.
- Audit applications that pass untrusted input to vm2 and temporarily disable those features until the patched release is deployed.
- Rotate any secrets accessible to the Node.js process if untrusted scripts were processed by a vulnerable build.
Patch Information
The maintainers fixed the issue in vm2 release v3.11.0. Update the dependency with npm install vm2@^3.11.0 or the equivalent yarn or pnpm command, then redeploy. The vendor advisory is published at GHSA-55hx-c926-fr95. Note that the vm2 project has been deprecated by its maintainer; teams should plan migration to a supported isolation mechanism such as isolated-vm or out-of-process sandboxing.
Workarounds
- Move untrusted script execution into a separate OS process with reduced privileges and resource limits, isolated by containers or seccomp.
- Restrict the host Node.js process with mandatory access controls (AppArmor, SELinux) to deny unexpected file and network access.
- Validate or reject input scripts that reference SuppressedError or other error-constructor escape primitives until patching completes.
# Update vm2 to a patched release
npm install vm2@^3.11.0
npm ls vm2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
