Socket has identified a critical sandbox escape vulnerability (CVE-2026-26956) in vm2, a JavaScript sandboxing library for Node.js. The flaw allows attacker-controlled JavaScript passed to VM.run() to escape the sandbox and execute arbitrary OS commands on the host process by exploiting WebAssembly.JSTag. Contrary to the existing advisory, Socket confirmed the vulnerability affects all vm2 versions from 0.2.2 through 3.10.4 and is not limited to Node.js 25 — Node.js 24 is also affected. Socket is releasing free Certified Patches for the vulnerability, applicable via `socket patch add GHSA-ffh4-j6h5-pg66`, and recommends upgrading to vm2 3.10.5, auditing transitive dependencies, and adopting stronger isolation like containers for untrusted code execution.
Table of contents
Impact #Broader Than the Advisory Indicates #Socket Certified Patches Available #Recommended Actions #Sort: