Ravie LakshmananJan 28, 2026Vulnerability / Open Supply
A crucial sandbox escape vulnerability has been disclosed within the common vm2 Node.js library that, if efficiently exploited, may permit attackers to run arbitrary code on the underlying working system.
The vulnerability, tracked as CVE-2026-22709, carries a CVSS rating of 9.8 out of 10.0 on the CVSS scoring system.
“In vm2 for model 3.10.0, Promise.prototype.then Promise.prototype.catch callback sanitization will be bypassed,” vm2 maintainer Patrik Simek mentioned. “This permits attackers to flee the sandbox and run arbitrary code.”
vm2 is a Node.js library used to run untrusted code inside a safe sandboxed atmosphere by intercepting and proxying JavaScript objects to stop sandboxed code from accessing the host atmosphere.
The newly found flaw stems from the library’s improper sanitization of Promise handlers, which creates an escape vector that ends in the execution of arbitrary code outdoors the sandbox boundaries.
“The crucial perception is that async features in JavaScript return `globalPromise` objects, not `localPromise` objects. Since `globalPromise.prototype.then` and `globalPromise.prototype.catch` aren’t correctly sanitized (not like `localPromise`),” Endor Labs researchers Peyton Kennedy and Cris Staicu mentioned.
Whereas CVE-2026-22709 has been addressed in vm2 model 3.10.2, it is the newest in a gentle stream of sandbox escapes which have plagued the library in recent times. This consists of CVE-2022-36067, CVE-2023-29017, CVE-2023-29199, CVE-2023-30547, CVE-2023-32314, CVE-2023-37466, and CVE-2023-37903.
The invention of CVE-2023-37903 in July 2023 additionally led Simek to announce that the undertaking was being discontinued. Nevertheless, these references have since been faraway from the newest README file obtainable on its GitHub repository. The Safety web page has additionally been up to date as of October 2025 to say that vm2 3.x variations are being actively maintained.
Nevertheless, vm2’s maintainer has additionally acknowledged that new bypasses will possible be found sooner or later, urging customers to be sure that they hold the library updated and contemplate different strong alternate options, reminiscent of isolated-vm, for stronger isolation ensures.
“As an alternative of counting on the problematic vm mannequin, the successor to vm2, isolated-vm depends on V8’s native Isolate interface, which presents a extra stable basis, however even then, the maintainers of vm2 stress the significance of isolation and really suggest Docker with logical separation between parts,” Semgrep mentioned.
In gentle of the criticality of the flaw, customers are beneficial to replace to the newest model (3.10.3), which comes with fixes for extra sandbox escapes.
