13 new critical holes in JavaScript sandbox allow execution of arbitrary code
Summary
Thirteen critical vulnerabilities have been discovered in the vm2 JavaScript sandbox package, with one notably allowing for full sandbox escape and arbitrary code execution. Developers using vm2 are urged to update to version 3.11.2 to mitigate these risks, as an attacker could potentially gain control of host processes.
IFF Assessment
The discovery of multiple critical vulnerabilities, including sandbox escapes and arbitrary code execution, presents a significant risk to systems relying on the vm2 JavaScript sandbox.
Severity
The identified vulnerabilities, particularly CVE-2026-26956, enable sandbox escape and arbitrary code execution, representing a critical threat. The potential impact is high, and the attack vector can be straightforward in certain configurations.
Defender Context
This highlights the ongoing risks associated with untrusted code execution, even within sandboxed environments. Defenders must ensure that libraries like vm2 are kept up-to-date and that sensitive operations performed within sandboxes are carefully reviewed for potential compromises.