All news with #sandbox escape tag

⚠️ Thirteen critical vulnerabilities have been disclosed in the vm2 JavaScript sandbox, including a full sandbox escape (CVE-2026-26956) that can allow attacker-controlled code to execute host commands under specific Node.js 25/WebAssembly conditions. Another high-risk issue (CVE-2026-44007) involves NodeVM nesting interacting with the legacy module resolver and was patched in 3.11.1. Developers should upgrade to vm2 3.11.2 immediately and consider interim mitigations such as avoiding Node 25 runtimes or disabling WebAssembly for untrusted sandboxes.

⚠️ Multiple critical vulnerabilities have been disclosed in the vm2 Node.js library that allow untrusted code to break out of sandboxes and execute arbitrary host commands. The defects include numerous sandbox escapes, code injection vectors, and an allowlist bypass, with several issues rated CVSS 9.8–10.0. Affected releases span multiple 3.9.x–3.11.x builds; maintainers recommend upgrading to v3.11.2 and auditing any vm2-based sandbox deployments. The project lead has acknowledged that further bypasses are likely as research continues.

🚨 A critical vulnerability in the Node.js sandbox library vm2 (CVE-2026-26956) can be exploited to escape the sandbox and execute arbitrary code on the host. The issue has been confirmed in vm2 3.10.4 on Node.js 25 (tested on 25.6.1) when WebAssembly exception handling and JSTag support are enabled. A proof-of-concept exploit is public; users should upgrade to vm2 3.10.5 or later (latest 3.11.2) immediately.

⚠️ A critical vulnerability in the Python-based sandbox Terrarium (CVE-2026-5752) allows attackers to execute arbitrary code with root privileges by traversing JavaScript prototype chains in the Pyodide WebAssembly environment. Disclosed by CERT/CC and credited to researcher Jeremy Brown, the flaw permits sandbox escapes from Docker-deployed containers and can expose sensitive files or services. Because the project is no longer actively maintained, immediate mitigations are recommended, such as disabling untrusted code submissions and isolating containers.

🔎 Unit 42 found that Amazon's AgentCore Code Interpreter sandbox permitted recursive DNS resolution, enabling covert DNS tunneling that can exfiltrate and receive data despite advertised isolation. They also identified a regression in the microVM Metadata Service where MMDSv1 accepted unauthenticated HTTP GETs without session-token enforcement, exposing credentials and pre-signed S3 artifacts. AWS was notified and implemented mitigations including documentation updates, setting MMDSv2 as the default for new runtimes, and providing APIs to disable v1 on legacy agents.

🔒 Researchers disclosed that Amazon Bedrock AgentCore Code Interpreter's sandbox mode permits outbound DNS queries, enabling attackers to create bidirectional command-and-control channels and exfiltrate data via DNS despite a "no network access" setting. BeyondTrust rated the issue 7.5/10 and recommends migrating critical workloads to VPC mode and using a Route53 DNS Firewall. Administrators should audit IAM roles and inventory active interpreters immediately.

⚠️ Phantom Labs Research demonstrated a DNS-based exfiltration technique targeting the AWS Bedrock AgentCore Code Interpreter that bypasses expected Sandbox Mode network restrictions. Maliciously crafted files (for example, CSVs) can influence generated Python code to use DNS queries as a covert command-and-control channel. In tests, researchers executed commands, enumerated and retrieved S3 content and secrets while the environment still reported network access disabled. AWS says this is intended behavior and updated documentation; organisations should inventory AgentCore instances, tighten IAM roles and move sensitive workloads to VPC mode.

🛡️ Modern malware increasingly uses mathematical and timing checks to avoid analysis. The Picus Red Report™ 2026 found Virtualization/Sandbox Evasion (T1497) surged to the #4 technique in 2025, appearing in 20% of samples. Threats like Blitz and LummaC2 use system profiling, trigonometry-based mouse analysis, and CPU timing comparisons to detect sandboxes and abort execution. Organizations should shift from file analysis to continuous behavioral validation using AEV and BAS.

⚠️A critical vulnerability (CVE-2026-25049, CVSS 9.4) in the n8n workflow automation platform can allow authenticated users with workflow edit rights to execute arbitrary system commands by abusing expression evaluation. The flaw bypasses prior fixes for CVE-2025-68613 and can be triggered by crafted expressions — including a single-line JavaScript destructuring payload — that escape the expression sandbox. Affected releases are <1.123.17 (fixed in 1.123.17) and <2.5.2 (fixed in 2.5.2). Operators should apply the updates immediately or, if patching is not possible, restrict workflow creation to trusted users and harden host and network privileges.

🔒 Pillar Security identified two maximum-severity sandbox escape vulnerabilities in the n8n workflow automation platform that allow any authenticated user to gain full server control and exfiltrate stored credentials (API keys, cloud keys, database passwords and OAuth tokens) on both self-hosted and cloud instances. The first flaw was patched by n8n, but researchers found a bypass within 24 hours, prompting the vendor to release n8n v2.4.0 in January 2026. Immediate mitigation steps include upgrading to 2.4.0, rotating the n8n encryption key and all stored credentials, auditing workflows for suspicious expressions and monitoring AI-related outbound activity.

⚠️Two critical sandbox escape vulnerabilities in n8n allow authenticated users to achieve remote code execution on affected instances. JFrog researchers reported that flaws in the JavaScript expression engine and the Python Code node can bypass sandboxing protections, exposing workflow engines to host-level compromise. The JavaScript issue stems from a missed edge case in AST-based sanitization when expressions are passed to a Function constructor; the Python escape affects Internal execution mode. Both flaws carry high severity and have been patched—organizations should update to the specified releases and restrict who can create or edit workflows until upgrades are applied.

⚠️ A critical vulnerability in vm2, a widely used Node.js sandboxing library, allows attackers to escape the sandbox and execute arbitrary code. Tracked as CVE-2026-22709, the flaw affects versions older than 3.10.2; users are urged to upgrade immediately. The issue stems from a bypass in Promise.prototype.then and Promise.prototype.catch callback sanitization, and the project maintainer warns that in-process sandboxing will remain a cat-and-mouse challenge. Where possible, combine vm2 with additional isolation, resource limits, and monitoring, or consider stronger isolation alternatives.

🔓 Two sandbox-escape vulnerabilities in the n8n workflow automation platform allow authenticated users to execute arbitrary code and potentially take full control of affected instances. JFrog researchers disclosed CVE-2026-1470, a JavaScript AST sandbox bypass that can resolve to Function and execute code in the main node, and CVE-2026-0863, a Python AST bypass that abuses format-string introspection and Python 3.10+ behavior to regain restricted builtins and run OS commands. CVE-2026-1470 was rated critical (9.9) because it grants execution in the main node; both issues affect self-hosted deployments while n8n Cloud has been mitigated. Fixes are available in specific 1.x and 2.x releases and users should upgrade immediately.

⚠️Two vulnerabilities in n8n sandboxing allow authenticated users to achieve remote code execution by bypassing JavaScript and Python sandbox controls. JFrog Security Research disclosed CVE-2026-1470 (CVSS 9.9) affecting the JavaScript expression engine and CVE-2026-0863 (CVSS 8.5) targeting Python execution in the Code node. Both issues exploit gaps in AST validation and require the ability to create or modify workflows, enabling attackers to access environment variables and run system-level commands. Users should upgrade immediately to the patched releases listed by the vendor.

⚠️ A critical sandbox escape in vm2 (CVE-2026-22709) can allow execution of arbitrary code on the host by bypassing Promise handler sanitization. Endor Labs researchers Peyton Kennedy and Cris Staicu reported that async functions return global Promise objects whose then and catch handlers were not properly sanitized, creating an escape vector. The flaw carries a CVSS score of 9.8 and was addressed in vm2 3.10.2; the article cites 3.10.3 with additional fixes. Users are urged to update and consider stronger isolation alternatives such as isolated-vm or container-level separation.

⚠️A critical sandbox escape in Pyodide used by Grist-Core allows remote code execution from a single malicious spreadsheet formula. Discovered by Cyera Research Labs and rated CVSS 9.1, the flaw leverages Python's object model, ctypes and exposed Emscripten runtime hooks to traverse from cell data into host runtimes. Grist patched the issue in v1.7.9 by running Pyodide under Deno and adding permission-based isolation; operators should upgrade promptly and treat formula execution as a privileged capability.

⚠️ A critical sandbox-escape vulnerability (CVE-2026-22709) was discovered in the vm2 Node.js sandbox library that allows untrusted code to break out of the sandbox and execute commands on the host. The flaw stems from improper sanitization of Promise.prototype.then and Promise.prototype.catch callbacks for asynchronous code, enabling trivial exploitation. Maintainer Patrik Šimek issued sequential fixes in 3.10.1 and 3.10.2 and says 3.10.3 addresses disclosed issues; users should upgrade immediately.

⚠️ A critical sandbox escape in Grist-Core allows malicious spreadsheet formulas to execute OS commands or host JavaScript via Pyodide, collapsing the boundary between cell logic and host execution. The flaw, tracked as CVE-2026-24002 and dubbed Cellbreak, has CVSS 9.1 and was fixed in Grist 1.7.9 (Jan 9, 2026). Operators should update immediately or set GRIST_SANDBOX_FLAVOR to "gvisor" as a temporary mitigation.