Socket Releases Free Certified Patches for Critical vm2 Sandbox Escape

Socket has released free Certified Patches for a critical sandbox escape vulnerability in vm2, a JavaScript sandboxing library used in Node.js applications, which allows attacker-controlled JavaScript to escape the sandbox and execute arbitrary commands. The vulnerability, identified as GHSA-ffh4-j6h5-pg66 and CVE-2026-26956, initially appeared to affect vm2 version 3.10.4 and Node 25 only, but further testing by Socket revealed a broader range of affected versions, spanning 0.2.2 through 3.10.4, on Node.js 24.15.0 and any version that exposes WebAssembly.JSTag. This discrepancy prompted Socket to update the advisory on GitHub, emphasizing the importance of accurate metadata for security scanners and dependency management tools. The patches provide a minimal fix for vulnerable versions, allowing teams to address the issue without a full dependency upgrade, and are available for free to all users, including non-customers. Socket advises organizations to upgrade to vm2 3.10.5 or later, apply the Certified Patch if needed, and review their isolation models, especially given vm2's history of sandbox escape vulnerabilities, to ensure sandboxed workloads are run with the least privilege and stronger isolation measures, such as separate processes or containers, for executing untrusted code.