Critical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution

Staff Editor 2026-01-28
Critical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution

Critical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution

https://thehackernews.com/2026/01/critical-vm2-nodejs-flaw-allows-sandbox.html

Publish Date: 2026-01-28 06:50:00

Source Domain: thehackernews.com

Ravie LakshmananJan 28, 2026Vulnerability / Open Source

A critical sandbox escape vulnerability has been disclosed in the popular vm2 Node.js library that, if successfully exploited, could allow attackers to run arbitrary code on the underlying operating system.

The vulnerability, tracked as CVE-2026-22709, carries a CVSS score of 9.8 out of 10.0 on the CVSS scoring system.

“In vm2 for version 3.10.0, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed,” vm2 maintainer Patrik Simek said. “This allows attackers to escape the sandbox and run arbitrary code.”

vm2 is a Node.js library used to run untrusted code within a secure sandboxed environment by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host environment.

Cybersecurity

The newly discovered flaw stems from the library’s improper sanitization of Promise handlers, which creates an escape vector that results in the execution of arbitrary code outside the sandbox boundaries.

“The critical insight is that async functions in JavaScript return `globalPromise` objects, not `localPromise` objects. Since `globalPromise.prototype.then` and `globalPromise.prototype.catch` are not properly sanitized (unlike `localPromise`),” Endor Labs researchers Peyton Kennedy and Cris Staicu said.

While CVE-2026-22709 has been addressed in vm2 version 3.10.2, it’s the latest in a steady stream of sandbox escapes that have plagued the library in recent years. This includes CVE-2022-36067, CVE-2023-29017, CVE-2023-29199, CVE-2023-30547, CVE-2023-32314, CVE-2023-37466, and CVE-2023-37903.

The discovery of CVE-2023-37903 in July 2023 also led Simek to announce that the project was being discontinued. However, these references have since been removed from the latest README file available on its GitHub repository after the project was resurrected late last year. The Security page has also been updated as of October 2025 to mention that vm2 3.x versions are being…

Source

More Stories

Mountain Rides resolves cybersecurity threat | Transportation

Mountain Rides resolves cybersecurity threat | Transportation

Staff Editor 2026-06-05
NICC offers new computing and cybersecurity program for high school students | 97 Seven Country WGLR – The Tri-States Best Variety of Country

NICC offers new computing and cybersecurity program for high school students | 97 Seven Country WGLR – The Tri-States Best Variety of Country

Staff Editor 2026-06-05
Ashley Devoto Named Air Force CIO

Ashley Devoto Named Air Force CIO

Staff Editor 2026-06-05

Terms and Conditions - Privacy Policy