Critical vm2 sandbox bug lets attackers execute code on hosts
A critical vulnerability in the popular Node.js sandboxing library vm2 allows escaping the sandbox and executing arbitrary code on the host system. [...]
Sandboxing isolates untrusted code or files so analysts and security tools can observe behavior and limit damage from malware.
Search across headline titles and summaries.
Background for this topic.
A sandbox is an isolated environment for running or inspecting software, files, or workloads without giving them the same access as the host system. In security, it commonly supports malware analysis, suspicious-file detonation, browser and application isolation, and safe testing of potentially vulnerable code. Isolation may rely on virtual machines, containers, operating-system controls, or combinations of these mechanisms.
Sandboxes reduce risk but are not automatically safe: vulnerabilities in the sandbox or hypervisor can enable an escape, and malware may detect analysis conditions and change its behavior. Effective deployments restrict privileges, filesystem access, credentials, and network connectivity; reset environments after use; and monitor activity. Analysts should also protect submitted samples, which can contain confidential data. Sandbox observations can supply threat-intelligence indicators and help validate detections, but a clean result is not proof that code is benign.
Weekly headline count for the current query.
A critical vulnerability in the popular Node.js sandboxing library vm2 allows escaping the sandbox and executing arbitrary code on the host system. [...]
CISA confirmed on Wednesday that ransomware gangs have begun exploiting a high-severity VMware ESXi sandbox escape vulnerability that was previously used in zero-day attacks. [...]
Two vulnerabilities in the n8n workflow automation platform could allow attackers to fully compromise affected instances, access sensitive data, and execute arbitrary code on the underlying host. [...]
A critical-severity vulnerability in the vm2 Node.js sandbox library, tracked as CVE-2026-22709, allows escaping the sandbox and executing arbitrary code on the underlying host system. [...]
Microsoft has pushed back against claims that multiple prompt injection and sandbox-related issues raised by a security engineer in its Copilot AI assistant constitute security vulnerabilities. The development highlights a growing divide between how vendors and researchers define risk in generative AI systems. [...]
Attackers exploit web browsers' built-in behaviors to steal credentials, abuse extensions, and move laterall, slipping past traditional defenses. Learn from Keep Aware how browser-layer visibility and policy enforcement stop these hidden threats in real time. [...]
Microsoft has released the KB5065789 preview cumulative update for Windows 11 24H2, which includes 41 improvements, including new AI actions in File Explorer and bug fixes for Windows Update and Windows Sandbox. [...]
Google has released a security update for Chrome to address half a dozen vulnerabilities, one of them actively exploited by attackers to escape the browser's sandbox protection. [...]
Mozilla has released Firefox 136.0.4 to patch a critical security vulnerability that can let attackers escape the web browser's sandbox on Windows systems. [...]
Google has fixed a high-severity Chrome zero-day vulnerability exploited to escape the browser's sandbox and deploy malware in espionage attacks targeting Russian organizations. [...]
OpenAI's containerized ChatGPT environment is open to limited yet extensive access to core instructions while allowing arbitrary file uploads and command execution within the isolated sandbox. [...]
Windows 11 Build 27686 has a few noteworthy improvements, such as 2TB support for FAT32 storage. It also improves Windows Sandbox and offers greater control over HDR settings, but there's an undocumented change - the ability to set power mode for two power states. [...]
VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation products, allowing attackers to escape virtual machines and access the host operating system. [...]
The Lumma information-stealing malware is now using an interesting tactic to evade detection by security software - the measuring of mouse movements using trigonometry to determine if the malware is running on a real machine or an antivirus sandbox. [...]
Google has officially announced plans to gradually eliminate third-party cookies, a key aspect of its Privacy Sandbox initiative. [...]
Google has started to roll out its new interest-based advertising platform called the Privacy Sandbox, shifting the tracking of user's interests from third-party cookies to the Chrome browser. [...]
Microsoft announced the public preview launch of Win32 app isolation, a new Windows 11 security feature specifically designed to sandbox 32-bit desktop applications. [...]
Google announced today that bug bounty hunters who report sandbox escape chain exploits targeting its Chrome web browser are now eligible for triple the standard reward until December 1st, 2023. [...]
Security researchers have released yet another sandbox escape proof of concept (PoC) exploit that makes it possible to execute unsafe code on the host running the VM2 sandbox. [...]
Proof-of-concept exploit code has been released for a recently disclosed critical vulnerability in the popular VM2 library, a JavaScript sandbox that is used by multiple software to run code securely in a virtualized environment. [...]