Critical sandbox escape flaw discovered in popular vm2 NodeJS library

Published:

27 januari 2026 om 16:35:29

Alert date:

27 januari 2026 om 17:08:00

Source:

bleepingcomputer.com

Web Technologies, Supply Chain & Dependencies, Zero-Day Vulnerabilities

A critical-severity vulnerability CVE-2026-22709 has been discovered in the popular vm2 Node.js sandbox library. The flaw allows attackers to escape the sandbox environment and execute arbitrary code on the underlying host system. This represents a significant security risk for applications relying on vm2 for code isolation and sandboxing functionality. The vulnerability affects the widely-used Node.js library that provides secure execution environments for untrusted code.

Technical details

The vulnerability arises from vm2's failure to properly sandbox 'Promises', the component that handles asynchronous operations. While vm2 sanitizes callbacks attached to its own internal Promise implementation, async functions return a global Promise whose .then() and .catch() callbacks are not properly sanitized. This allows Promise.prototype.then and Promise.prototype.catch callback sanitization to be bypassed, enabling attackers to escape the sandbox and run arbitrary code on the host system.

Mitigation steps:

Users are recommended to upgrade to the latest vm2 release (version 3.10.3) as soon as possible. The vulnerability was partially addressed in version 3.10.1 and fully fixed in version 3.10.2, with version 3.10.3 containing fixes for all disclosed vulnerabilities.

Affected products:

vm2 Node.js library version 3.10.0
vm2 versions prior to 3.10.1 (partially fixed)
vm2 versions prior to 3.10.2 (full fix)
vm2 version 3.10.3 (current secure version)

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.