Critical severityNVD Advisory· Published Jan 26, 2026· Updated Jan 27, 2026
vm2 has a Sandbox Escape
CVE-2026-22709
Description
vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of localPromise.prototype.then is sanitized, but globalPromise.prototype.then is not sanitized. The return value of async functions is globalPromise object. Version 3.10.2 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vm2npm | < 3.10.2 | 3.10.2 |
Affected products
2- Range: < 3.10.2
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-99p7-6v5w-7xg8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22709ghsaADVISORY
- github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29ghsax_refsource_MISCWEB
- github.com/patriksimek/vm2/releases/tag/v3.10.2ghsax_refsource_MISCWEB
- github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8ghsax_refsource_CONFIRMWEB
News mentions
2- vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code ExecutionThe Hacker News · May 7, 2026
- Critical vm2 sandbox bug lets attackers execute code on hostsBleepingComputer · May 6, 2026