"These sandbox escape vulnerabilities demonstrate why sandboxing untrusted code inside a trusted process is a fragile security model, Adam Reynolds, senior security researcher at Sonatype, said in an email. "Once untrusted code runs inside a process with access to credentials and secrets, the underlying filesystem, the network, or with deployment privileges, a sandbox bypass can easily lead to a full system compromise," he said."
"In both cases, the highest-risk users are organizations that run untrusted JavaScript and assume vm2 is containing it. Those [application development] teams should patch immediately and add stronger isolation around sandboxed workloads.""
"Simply having vm2 installed somewhere in the dependency tree is not enough to make some of these vulnerabilities exploitable, he added. For example, an attacker generally needs the ability to execute crafted JavaScript (and in the case of CVE-2026-26956, crafted WebAssembly) inside a vm2 sandbox controlled by the vulnerable application."
"If the application never instantiates vm2, only uses it for trusted internal scripts, or does not allow attacker-controlled code execution at all, then there may be no realistic exploit path despite the presence of the dependency."
Highest-risk organizations run untrusted JavaScript and rely on vm2 to contain it. These sandbox escape vulnerabilities show that sandboxing untrusted code inside a trusted process is fragile. When untrusted code gains access to credentials and secrets, the underlying filesystem, the network, or deployment privileges, a sandbox bypass can quickly result in full system compromise. Simply having vm2 somewhere in a dependency tree does not automatically make vulnerabilities exploitable. Exploitation typically requires the ability to execute crafted JavaScript, and in one case crafted WebAssembly, inside a vm2 sandbox controlled by the vulnerable application. If the application never instantiates vm2, only uses it for trusted internal scripts, or prevents attacker-controlled code execution, realistic exploit paths may not exist.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]