CVE-2026-22709

CRITICAL9.8

vm2 has a Sandbox Escape

Published Jan 26, 2026

Modified 1 weeks ago

Details

vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of localPromise.prototype.then is sanitized, but globalPromise.prototype.then is not sanitized. The return value of async functions is globalPromise object. Version 3.10.2 fixes the issue.

References

WEBhttps://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29 WEBhttps://github.com/patriksimek/vm2/releases/tag/v3.10.2 WEBhttps://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8 ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2026-22709

CVSS Analysis

CVSS v3.1

9.8

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

HighA:H

9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness Type (CWE)

Injection

CWE-94

Code Injection

Other

CWE-693

CWE-913

Ecosystems

Timeline

PublishedJan 26, 2026

ModifiedJan 27, 2026