vm2 Sandbox Escape: Your AI Agent's Code Runner Just Got Owned
Three CVEs. CVSS 10.0. The Node.js sandbox library used by AI agents, online code runners, and plugin engines can be escaped with a WebAssembly trick. The sandbox was never safe.
#The sandbox isn't a sandbox. It's a suggestion.
vm2 is a Node.js library used to run untrusted code in isolation. Its entire purpose is to let you execute JavaScript from an unknown source without it being able to access your filesystem, your environment variables, your network, or anything else on the host.
It's used in AI agent orchestration (letting AI-generated code run safely), online code playgrounds (CodeSandbox-style tools), plugin engines (running third-party extensions), low-code platforms, and CI/CD pipelines.
Three new CVEs just proved the sandbox can be escaped:
- CVE-2026-26956 (CVSS 9.8): WebAssembly
try_tablewith JSTag catch handler captures a host exception, traverses to the hostFunctionconstructor, full host code execution - CVE-2026-22709 (CVSS 9.8): Second escape vector through different host-object leakage
- CVE-2026-43997 (CVSS 10.0): Third escape, complete sandbox compromise
Once out of the sandbox, the attacker has everything the Node.js process has access to. Filesystem, environment variables, network, database connections, cloud credentials. The sandbox was the only thing between untrusted code and your infrastructure. It's gone.
#AI agents make this especially dangerous.
AI agent frameworks run generated code to accomplish tasks. "Fetch this data." "Process this file." "Call this API." The agent generates JavaScript, and the framework executes it in a sandbox (often vm2) to prevent the generated code from doing anything harmful.
With the sandbox broken, AI-generated code (or code from a compromised AI agent) can escape and access the host. That means:
- An AI coding agent with a poisoned context could execute code that escapes the sandbox and steals credentials from the host machine
- A plugin running in a vm2 sandbox could read your
.envfile, your SSH keys, your cloud credentials - An online code runner could pivot from "evaluate this user's JavaScript" to "own the server"
The library is deprecated but still has massive install counts because it's a transitive dependency. Many projects don't even know they depend on it.
#What to do.
1. Check if you depend on vm2:
`
npm ls vm2
#or
grep -r "vm2" node_modules/.package-lock.json
`
2. If you do, upgrade to 3.11.0+ which patches the known escapes.
3. Better yet, migrate off vm2 entirely. The library is deprecated. The maintainers have said it cannot be made reliably secure. Better alternatives:
- isolated-vm: V8 isolates with actual process-level isolation
- Separate process/container: Run untrusted code in a disposable container with no network access and no host filesystem mounts
- Deno: Built-in permission model that sandboxes by default (no filesystem, no network, no env access unless explicitly granted)
- gVisor: Application kernel that provides defense in depth for container workloads
4. If you run AI agents that execute generated code, audit what isolation mechanism they use. If it's vm2, the "sandbox" around your AI's code execution is broken. Replace it with actual process isolation.
5. If you use a low-code/no-code platform, ask the vendor what sandbox they use for custom code execution. If they say vm2, ask about their migration plan.
#Further reading
- GitHub Advisory GHSA-ffh4-j6h5-pg66 - CVE-2026-26956 details
- SOCRadar Analysis - exploitation in AI agent contexts
- isolated-vm - secure alternative using V8 isolates
- Deno Security Model - permission-based isolation by default
- gVisor - container isolation for defense in depth