Skip to content
.ca
sign in
Work being done in the backend.
4 mincritical

Socket Releases Free Certified Patches for Critical vm2 Sandbox Escape

A critical sandbox escape vulnerability (CVE-2026-26956) in the vm2 Node.js library allows attackers to execute arbitrary OS commands by leveraging WebAssembly.JSTag via VM.run(). The flaw affects versions 0.2.2 through 3.10.4 on Node.js runtimes exposing this tag, prompting the release of vm2 3.10.5 and a free Certified Patch from Socket to remove the tag from the sandbox environment.

Sens:ImmediateConf:highAnalyzed:2026-05-11Google

Authors: Wenxin Jiang, Marvin Fleischer, Jonah Ghebremichael

Vulnerability DisclosureNode.jsJavaScriptSandbox Escapevm2CVE-2026-26956WASM

Source:Socket

Detection / HunterGoogle

What Happened

A critical security flaw was found in vm2, a popular tool used to run untrusted JavaScript code safely within Node.js applications. This flaw allows malicious code to break out of its restricted environment and run commands directly on the host computer. Anyone using affected versions of vm2 (0.2.2 through 3.10.4) on certain Node.js setups is at risk of having their systems compromised. Because this can lead to full system takeover, it is highly dangerous. Developers should immediately update to vm2 version 3.10.5 or apply the provided security patch to protect their applications.

Key Takeaways

  • A critical sandbox escape vulnerability (CVE-2026-26956 / GHSA-ffh4-j6h5-pg66) was discovered in the vm2 Node.js library.
  • The vulnerability affects vm2 versions 0.2.2 through 3.10.4, a significantly broader range than initially reported in the GitHub advisory.
  • Exploitation requires attacker-controlled code to reach VM.run() on a Node.js runtime that exposes WebAssembly.JSTag (e.g., Node.js 24 and 25).
  • Successful exploitation allows attackers to access the host Node.js process object and execute arbitrary operating system commands.
  • Mitigation requires upgrading to vm2 3.10.5 or applying a free Certified Patch provided by Socket.

Affected Systems

  • vm2 versions 0.2.2 through 3.10.4
  • Node.js runtimes exposing WebAssembly.JSTag (including Node.js 24.15.0 and Node.js 25)

Vulnerabilities (CVEs)

  • CVE-2026-26956

Attack Chain

An attacker supplies malicious JavaScript to an application that evaluates it using vm2's VM.run() function. The malicious code leverages the exposed WebAssembly.JSTag in the Node.js runtime to break out of the sandbox isolation. Once escaped, the code accesses the host Node.js process object. Finally, the attacker executes arbitrary operating system commands with the same privileges as the host application.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules, queries, or signatures for identifying exploitation of this vulnerability.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect child processes spawning from the Node.js process, which is a strong indicator of post-exploitation OS command execution following a sandbox escape. Network Visibility: Low — The exploit occurs entirely within the Node.js runtime environment and does not inherently generate unique network traffic unless the payload downloads additional tools. Detection Difficulty: Moderate — Detecting the sandbox escape itself is difficult without deep application-level instrumentation, but detecting the resulting anomalous child processes spawned by Node.js is relatively straightforward.

Required Log Sources

  • Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)
  • Application Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unexpected child processes (e.g., cmd.exe, sh, bash) being spawned by the Node.js process hosting the vm2 sandbox, indicating a potential sandbox escape and OS command execution.Process Creation LogsExecutionMedium

Control Gaps

  • Application-level sandbox isolation (vm2) is insufficient without OS-level isolation (containers/VMs)

Key Behavioral Indicators

  • Node.js process spawning unexpected shells or utilities
  • Anomalous access to the Node.js process object from within a sandboxed context

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Upgrade to vm2 3.10.5 or later.
  • Apply Socket's Certified Patch using 'socket patch add GHSA-ffh4-j6h5-pg66' if a direct upgrade is not immediately practical.

Infrastructure Hardening

  • Run sandboxed workloads with least privilege.
  • Use stronger isolation, such as separate processes or containers, for untrusted code execution.

User Protection

  • N/A

Security Awareness

  • Review whether sandboxed workloads have access to secrets, production credentials, filesystem access, or internal network resources.
  • Identify services that pass untrusted JavaScript to VM.run() and confirm if they run on Node.js versions exposing WebAssembly.JSTag.

MITRE ATT&CK Mapping

  • T1611 - Escape to Host
  • T1059.007 - Command and Scripting Interpreter: JavaScript
  • T1059.004 - Command and Scripting Interpreter: Unix Shell

Additional IOCs

  • Command Lines:
    • Purpose: Apply Socket Certified Patch for GHSA-ffh4-j6h5-pg66 to mitigate the vulnerability | Tools: socket | Stage: Mitigation | socket patch add GHSA-ffh4-j6h5-pg66

Related