13 New Critical Holes in JavaScript Sandbox Allow Execution of Arbitrary Code

The vm2 package has become a de‑facto standard for running untrusted JavaScript inside Node.js applications, offering a lightweight sandbox that whitelists built‑in modules. Security researchers at Socket uncovered thirteen separate defects, two of which received CVE designations. The first, CVE‑2026‑26956, leverages a niche combination of vm2 3.10.4, Node 25.6.1, and WebAssembly exception handling to expose the host process object, effectively nullifying the sandbox’s security boundary. The second, CVE‑2026‑44007, is a configuration‑driven escape that triggers when the nesting:true option interacts with the legacy module resolver, allowing arbitrary OS commands across a broader set of versions.

Technical analysis shows the Node 25/WebAssembly vector is narrow but high‑impact: only environments that deliberately enable that runtime can be compromised. In contrast, the nesting:true issue is more pervasive because many developers adopt the option to simplify module loading. Mitigation steps include upgrading to vm2 3.11.2, which patches both vulnerabilities, or applying the temporary patches released by Socket. Organizations should also avoid Node 25 runtimes, disable WebAssembly inside untrusted sandboxes, and audit code paths that instantiate vm2 with user‑controlled input.

Beyond the immediate patches, the incident underscores a fundamental weakness in relying on software‑level sandboxes for untrusted code. Security experts recommend treating vm2 as a convenience layer rather than a hard security perimeter, and moving high‑risk workloads into hardened Docker containers or V8 isolates that provide stronger OS‑level isolation. Continuous monitoring of dependency trees, rapid patch cycles, and a defense‑in‑depth strategy are now essential for any firm that embeds third‑party JavaScript execution engines.