A critical security vulnerability has been disclosed in the widely used vm2 Node.js library, exposing systems to sandbox escape and arbitrary code execution risks. If exploited successfully, attackers could execute malicious code directly on the host operating system, completely bypassing vm2’s intended isolation mechanisms.
The flaw is tracked as CVE-2026-22709 and carries a CVSS score of 9.8, placing it among the most severe vulnerabilities affecting the Node.js ecosystem in recent years.
Vulnerability Overview
According to vm2 maintainer Patrik Simek, the issue affects vm2 version 3.10.0 and is rooted in incomplete sanitization of Promise callbacks.
“In vm2 for version 3.10.0, Promise.prototype.then and Promise.prototype.catch callback sanitization can be bypassed,” Simek explained. “This allows attackers to escape the sandbox and run arbitrary code.”
vm2 is designed to execute untrusted JavaScript safely by proxying and intercepting objects to prevent access to the host environment. However, the newly discovered flaw undermines this security model.
Root Cause and Technical Insight
The vulnerability arises from how vm2 handles asynchronous JavaScript execution. Researchers Peyton Kennedy and Cris Staicu from Endor Labs explained that async functions return globalPromise objects rather than localPromise objects.
Because globalPromise.prototype.then and globalPromise.prototype.catch are not properly sanitized, attackers can exploit this gap to execute code outside the sandbox boundaries. This behavior creates a reliable escape vector from the supposedly isolated execution environment.
A History of Repeated Sandbox Escapes
CVE-2026-22709 is not an isolated incident. vm2 has faced a long history of sandbox escape vulnerabilities, including:
The discovery of CVE-2023-37903 in July 2023 prompted Simek to announce the discontinuation of the project. However, that decision was later reversed, and references to the shutdown were removed from the repository. As of October 2025, vm2’s Security page confirms that vm2 3.x versions are actively maintained.
Mitigation and Recommendations
The vulnerability has been fixed in vm2 version 3.10.2, with further hardening included in version 3.10.3. Users are strongly advised to upgrade immediately to the latest release to mitigate both this issue and additional sandbox escape weaknesses.
Despite the patch, the maintainer has acknowledged that future bypasses are likely, urging developers to remain cautious.
Security researchers and vendors, including Semgrep, recommend considering more robust alternatives such as isolated-vm, which leverages V8’s native Isolate interface for stronger isolation. Even then, experts stress that high risk workloads should rely on container based isolation, such as Docker, with strict logical separation between components.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
