In each circumstances, the highest-risk customers are organizations that run untrusted JavaScript and assume vm2 is containing it. These [application development] groups ought to patch instantly and add stronger isolation round sandboxed workloads.”
‘Fragile safety mannequin’
These sandbox escape vulnerabilities exhibit why sandboxing untrusted code inside a trusted course of is a fragile safety mannequin, Adam Reynolds, senior safety researcher at Sonatype, stated in an e-mail. “As soon as untrusted code runs inside a course of with entry to credentials and secrets and techniques, the underlying filesystem, the community, or with deployment privileges, a sandbox bypass can simply result in a full system compromise,” he stated.
Merely having vm2 put in someplace within the dependency tree is just not sufficient to make a few of these vulnerabilities exploitable, he added. For instance, an attacker typically wants the flexibility to execute crafted JavaScript (and within the case of CVE-2026-26956, crafted WebAssembly) inside a vm2 sandbox managed by the susceptible utility. If the appliance by no means instantiates vm2, solely makes use of it for trusted inside scripts, or doesn’t permit attacker-controlled code execution in any respect, then there could also be no sensible exploit path regardless of the presence of the dependency.
