Back

Critical vm2 Vulnerability Allows Arbitrary Code Execution on Host Systems

Severity: High (Score: 72.9)

Sources: www.npmjs.com, Bleepingcomputer, Cybersecuritynews, Heise.De, Thehackernews

Summary

A critical vulnerability (CVE-2026-26956) in the vm2 Node.js sandboxing library enables attackers to escape the sandbox and execute arbitrary code on host systems. This flaw affects vm2 version 3.10.4 and earlier, particularly in environments running Node.js 25 with WebAssembly exception handling enabled. The vulnerability arises from improper handling of exceptions crossing between the sandbox and the host, allowing attackers to access sensitive Node.js internals. Users are urged to upgrade to vm2 version 3.10.5 or later to mitigate risks. This incident is part of a series of vulnerabilities affecting vm2, highlighting ongoing challenges in securely isolating untrusted code. The library is widely used, with over 1.3 million weekly downloads, impacting numerous applications relying on it for executing user-supplied scripts. Key Points: • CVE-2026-26956 allows arbitrary code execution on host systems running vulnerable vm2 versions. • The vulnerability affects environments with Node.js 25 and WebAssembly exception handling enabled. • Users should upgrade to vm2 version 3.10.5 or later to mitigate exploitation risks.

Key Entities

  • DDoS (attack_type)
  • Zero-day Exploit (attack_type)
  • CVE-2022-36067 (cve)
  • CVE-2023-29017 (cve)
  • CVE-2023-30547 (cve)
  • CVE-2026-22709 (cve)
  • CVE-2026-26956 (cve)
  • CWE-78 - OS Command Injection (cwe)
  • T1203 - Exploitation for Client Execution (mitre_attack)
  • Node.js (tool)
  • V8 (platform)
  • Vm2 (vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed