In each circumstances, the highest-risk customers are organizations that run untrusted JavaScript and assume vm2 is containing it. These [application development] groups ought to patch instantly and add stronger isolation round sandboxed workloads.”
‘Fragile security mannequin’
These sandbox escape vulnerabilities reveal why sandboxing untrusted code inside a trusted course of is a fragile security mannequin, Adam Reynolds, senior security researcher at Sonatype, mentioned in an electronic mail. “As soon as untrusted code runs inside a course of with entry to credentials and secrets and techniques, the underlying filesystem, the community, or with deployment privileges, a sandbox bypass can simply result in a full system compromise,” he mentioned.
Merely having vm2 put in someplace within the dependency tree is just not sufficient to make a few of these vulnerabilities exploitable, he added. For instance, an attacker usually wants the flexibility to execute crafted JavaScript (and within the case of CVE-2026-26956, crafted WebAssembly) inside a vm2 sandbox managed by the susceptible utility. If the applying by no means instantiates vm2, solely makes use of it for trusted inside scripts, or doesn’t enable attacker-controlled code execution in any respect, then there could also be no practical exploit path regardless of the presence of the dependency.
