A critical sandbox escape vulnerability has been disclosed in the popular vm2 Node.js library that, if successfully exploited, could allow attackers to run arbitrary code on the underlying operating system.
The vulnerability, tracked as CVE-2026-22709, carries a CVSS score of 9.8 out of 10.0 on the CVSS scoring system.
“In vm2 for version 3.10.0, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed,” vm2 maintainer Patrik Simek said. “This allows attackers to escape the sandbox and run arbitrary code.”
vm2 is a Node.js library used to run untrusted code within a secure sandboxed environment by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host environment.
The newly discovered flaw stems from the library’s improper sanitization of Promise handlers, which creates an escape vector that results in the execution of arbitrary code outside the sandbox boundaries.
“The critical insight is that async functions in JavaScript return `globalPromise` objects, not `localPromise` objects. Since `globalPromise.prototype.then` and `globalPromise.prototype.catch` are not properly sanitized (unlike `localPromise`),” Endor Labs researchers Peyton Kennedy and Cris Staicu said.
While CVE-2026-22709 has been addressed in vm2 version 3.10.2, it’s the latest in a steady stream of sandbox escapes that have plagued the library in recent years. This includes CVE-2022-36067, CVE-2023-29017, CVE-2023-29199, CVE-2023-30547, CVE-2023-32314, CVE-2023-37466, and CVE-2023-37903.
The discovery of CVE-2023-37903 in July 2023 also led Simek to announce that the project was being discontinued. However, these references have since been removed from the latest README file available on its GitHub repository after the project was resurrected late last year. The Security page has also been updated as of October 2025 to mention that vm2 3.x versions are being actively maintained.
However, vm2’s maintainer has also acknowledged that new bypasses will likely be discovered in the future, urging users to make sure that they keep the library up to date and consider other robust alternatives, such as isolated-vm, for stronger isolation guarantees.
“Instead of relying on the problematic vm model, the successor to vm2, isolated-vm relies on V8’s native Isolate interface, which offers a more solid foundation, but even then, the maintainers of vm2 stress the importance of isolation and actually recommend Docker with logical separation between components,” Semgrep said.
In light of the criticality of the flaw, users are recommended to update to the most recent version (3.10.3), which comes with fixes for additional sandbox escapes.
