{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/node.js/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-26956"}],"_cs_exploited":false,"_cs_products":["vm2 (= 3.10.4)","Node.js"],"_cs_severities":["critical"],"_cs_tags":["sandbox-escape","wasm","vm2","javascript"],"_cs_type":"advisory","_cs_vendors":["vm2"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-26956, has been identified in vm2 version 3.10.4 when used with Node.js v25.6.1 (x64 Linux). This vulnerability allows for a complete sandbox escape, granting attackers the ability to execute arbitrary code on the host system. The attack is triggered by supplying malicious code to the \u003ccode\u003eVM.run()\u003c/code\u003e function. This vulnerability bypasses vm2\u0026rsquo;s intended security mechanisms, exploiting weaknesses in WebAssembly exception handling and JSTag support within the Node.js environment. The root cause lies in the insufficient sanitization of TypeError exceptions originating from Symbol-to-string coercion during stack formatting within WebAssembly\u0026rsquo;s \u003ccode\u003etry_table\u003c/code\u003e instruction. This flaw allows attacker code to gain access to the host process object and execute system commands without any cooperation from the host environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts malicious JavaScript code containing a WebAssembly module.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code is passed as an argument to the \u003ccode\u003eVM.run()\u003c/code\u003e function within the vm2 sandbox.\u003c/li\u003e\n\u003cli\u003eThe WebAssembly module is instantiated, containing a function that triggers a TypeError by attempting Symbol-to-string coercion during stack formatting (e.g., \u003ccode\u003ee.name = Symbol(); e.stack\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etry_table\u003c/code\u003e instruction in WebAssembly catches the JavaScript exception at the V8 C++ level as an opaque \u003ccode\u003eexternref\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis exception is improperly sanitized by vm2 and returned to the attacker\u0026rsquo;s code as a function return value.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the unsanitized TypeError object to access its constructor chain (\u003ccode\u003ehostError.constructor.constructor\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe constructor chain resolves to a Function object that, when called, returns the host process object.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the host process object to require modules like \u003ccode\u003echild_process\u003c/code\u003e and \u003ccode\u003econsole\u003c/code\u003e, enabling arbitrary code execution on the host system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to completely bypass the vm2 sandbox and execute arbitrary code on the host system with the privileges of the Node.js process. This can lead to complete system compromise, data exfiltration, and other malicious activities. Given the criticality of many applications relying on sandboxed environments, this vulnerability poses a significant risk to affected systems. Observed successful exploitation allowed for privilege escalation to root.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of vm2 that addresses CVE-2026-26956 if available from the vendor.\u003c/li\u003e\n\u003cli\u003eAs a temporary mitigation, consider disabling WebAssembly exception handling or JSTag support in Node.js v25.6.1.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious child processes spawned from Node.js processes, as detected by the rule \u0026ldquo;Detect Suspicious Node.js Child Processes\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WebAssembly with JSTag\u0026rdquo; to identify the use of WebAssembly with JSTag functionality, which is a prerequisite for exploiting this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T16:44:16Z","date_published":"2026-05-05T16:44:16Z","id":"/briefs/2024-01-03-vm2-sandbox-escape/","summary":"A critical vulnerability, CVE-2026-26956, exists in vm2 version 3.10.4 when running on Node.js v25.6.1 (x64 Linux), allowing a full sandbox escape with arbitrary code execution through attacker-controlled code passed to `VM.run()`.","title":"VM2 Sandbox Escape Vulnerability (CVE-2026-26956)","url":"https://feed.craftedsignal.io/briefs/2024-01-03-vm2-sandbox-escape/"}],"language":"en","title":"CraftedSignal Threat Feed — Node.js","version":"https://jsonfeed.org/version/1.1"}