A critical sandbox escape vulnerability has been disclosed in the popular vm2 Node.js library. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system.
This vulnerability is tracked as CVE-2026-22709 and has a CVSS score of 9.8 out of 10.0 in the CVSS scoring system.
“As of version 3.10.0 of VM2, you can bypass sanitization of the Promise.prototype.then Promise.prototype.catch callback,” said VM2 maintainer Patrik Simek. “This allows an attacker to escape the sandbox and execute arbitrary code.”
vm2 is a Node.js library used to run untrusted code within a secure sandboxed environment by intercepting and proxying JavaScript objects and preventing sandboxed code from accessing the host environment.
The newly discovered flaw is due to improper sanitization of Promise handlers by the library, which creates escape vectors that allow arbitrary code to execute outside the bounds of the sandbox.
“The key insight is that asynchronous functions in JavaScript return a ‘globalPromise’ object rather than a ‘localPromise’ object, because ‘globalPromise.prototype.then’ and ‘globalPromise.prototype.catch’ (unlike ‘localPromise’) are not properly sanitized,” said Endor Labs researchers Peyton Kennedy and Cris Staicu.
CVE-2026-22709 is addressed in vm2 version 3.10.2, the latest in a steady stream of sandbox escapes that have plagued the library in recent years. This includes CVE-2022-36067, CVE-2023-29017, CVE-2023-29199, CVE-2023-30547, CVE-2023-32314, CVE-2023-37466, and CVE-2023-37903.
Due to the discovery of CVE-2023-37903 in July 2023, Simek announced the cancellation of the project. However, these references have been removed from the latest README file available in the GitHub repository. The security page was also updated in October 2025 to note that the VM2 3.x version is being actively maintained.
However, the maintainers of vm2 also acknowledge that new bypasses are likely to be discovered in the future, and urge users to keep their libraries up to date and consider other robust alternatives, such as isolation-vm, to ensure stronger isolation.
“Instead of relying on the problematic VM model, VM2’s successor, isolated VM, relies on V8’s native Isolate interface, which provides a more solid foundation. But still, VM2 administrators emphasize the importance of isolation and actually encourage Docker, which has logical separation between components,” Semgrep said.
Given the severity of the flaw, we recommend updating to the latest version (3.10.3), which includes additional sandbox escape fixes.
Source link
