A critical vulnerability in the vm2 Node.js sandbox (CVE-2026-22709) lets attackers escape the sandbox and execute arbitrary code on the host by bypassing Promise callback sanitization. Users should upgrade to the patched vm2 releases immediately to mitigate this trivial-to-exploit flaw. #vm2 #CVE-2026-22709
Keypoints
- CVE-2026-22709 is a critical sandbox escape in vm2 that enables arbitrary code execution on the host.
- The vulnerability arises from improper sanitization of global Promise.prototype.then and .catch callbacks in version 3.10.0.
- An exploit demonstrating the sandbox escape has been published and is trivial to use against vulnerable versions.
- Maintainer Patrik Ε imek issued partial fixes in 3.10.1, tightened them in 3.10.2, and reports all disclosed issues fixed in 3.10.3.
- vm2 is widely used across npm and GitHub in SaaS platforms, online code runners, and chatbots, so users should upgrade immediately.