Vulnerability Management, Patch/Configuration Management

Critical vm2 vulnerability allows sandbox escape and arbitrary code execution

(Adobe Stock)

As reported by Bleeping Computer, a critical-severity vulnerability, CVE-2026-22709, has been identified in the vm2 Node.js sandbox library. This flaw enables attackers to escape the sandbox environment and execute arbitrary code on the underlying host system, posing a significant security risk.

The vm2 library, designed to run untrusted JavaScript code in a secure context, has a history of sandbox-escape vulnerabilities. The latest issue stems from improper sanitization of Promises, specifically when handling async functions. While vm2's internal Promise callbacks are sanitized, those returned by async functions using global Promises are not, allowing for exploitation. This vulnerability, CVE-2026-22709, was partially addressed in version 3.10.1 and fully mitigated in 3.10.2. Given its ease of exploitation, users are urged to update to the latest version, 3.10.3, which the maintainer states has fixed all disclosed vulnerabilities.

The repeated discovery of critical vulnerabilities in vm2 highlights the inherent challenges in creating truly secure sandboxing environments for untrusted code. The library's continued popularity, despite being discontinued and then revived, underscores the need for developers to remain vigilant about dependency security.

Source: Bleeping Computer

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds