Description
vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.
Published: 2026-05-04
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows code executed within the VM.run() context to obtain a reference to the host process object and invoke arbitrary host commands without any host side‑by‑side cooperation. This results in a full escape from the intended sandbox, giving an attacker the same privileges as the Node.js process, which can lead to compromise of the entire host system.

Affected Systems

The affected component is patriksimek's vm2 JavaScript sandbox library for Node.js. Version 3.10.4 is vulnerable; the issue was addressed and fixed in version 3.10.5. No specific Node.js runtime version is mentioned in the advisory, although the title references Node 25.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8, indicating critical severity. EPSS data is not available, but absence of KEV listing suggests exploitation has not yet been observed in the wild. The likely attack vector involves an attacker supplying malicious content to the VM.run() method, which can obtain a host process handle and execute arbitrary system commands rooted in the Node.js runtime.

Generated by OpenCVE AI on May 4, 2026 at 18:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update vm2 to version 3.10.5 or later to apply the vendor fix.
  • If an upgrade is not immediately feasible, remove or tightly restrict calls to VM.run() in production code to prevent untrusted JavaScript from reaching the sandbox.
  • Conduct a security review of any remaining untrusted execution paths, ensuring proper input validation and least‑privilege execution, in line with CWE‑693 mitigation guidance.

Generated by OpenCVE AI on May 4, 2026 at 18:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Patriksimek
Patriksimek vm2
Vendors & Products Patriksimek
Patriksimek vm2

Mon, 04 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.
Title vm2: WASM Sandbox Escape (Node 25 only)
Weaknesses CWE-693
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Patriksimek Vm2
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T16:37:31.538Z

Reserved: 2026-02-16T22:20:28.611Z

Link: CVE-2026-26956

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T17:16:22.553

Modified: 2026-05-04T17:16:22.553

Link: CVE-2026-26956

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:00:07Z

Weaknesses