{"id":209127,"date":"2026-01-28T06:50:00","date_gmt":"2026-01-28T11:50:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/01\/28\/critical-vm2-node-js-flaw-allows-sandbox-escape-and-arbitrary-code-execution\/"},"modified":"2026-02-02T09:25:10","modified_gmt":"2026-02-02T14:25:10","slug":"critical-vm2-node-js-flaw-allows-sandbox-escape-and-arbitrary-code-execution","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/01\/28\/critical-vm2-node-js-flaw-allows-sandbox-escape-and-arbitrary-code-execution\/","title":{"rendered":"Critical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution"},"content":{"rendered":"

Critical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/01\/critical-vm2-nodejs-flaw-allows-sandbox.html<\/a><\/p>\n

Publish Date: 2026-01-28 06:50:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Ravie Lakshmanan<\/span>\ue802Jan 28, 2026<\/span><\/span>Vulnerability \/ Open Source<\/span><\/p>\n

A critical sandbox escape vulnerability has been disclosed in the popular vm2 Node.js library that, if successfully exploited, could allow attackers to run arbitrary code on the underlying operating system.<\/p>\n

The vulnerability, tracked as CVE-2026-22709<\/strong>, carries a CVSS score of 9.8 out of 10.0 on the CVSS scoring system.<\/p>\n

“In vm2 for version 3.10.0, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed,” vm2 maintainer Patrik Simek said. “This allows attackers to escape the sandbox and run arbitrary code.”<\/p>\n

vm2 is a Node.js library used to run untrusted code within a secure sandboxed environment by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host environment.<\/p>\n

\"Cybersecurity\"<\/p>\n

The newly discovered flaw stems from the library’s improper sanitization of Promise handlers, which creates an escape vector that results in the execution of arbitrary code outside the sandbox boundaries.<\/p>\n

“The critical insight is that async functions in JavaScript return `globalPromise` objects, not `localPromise` objects. Since `globalPromise.prototype.then` and `globalPromise.prototype.catch` are not properly sanitized (unlike `localPromise`),” Endor Labs researchers Peyton Kennedy and Cris Staicu said.<\/p>\n

While CVE-2026-22709 has been addressed in vm2 version 3.10.2, it’s the latest in a steady stream of sandbox escapes that have plagued the library in recent years. This includes CVE-2022-36067, CVE-2023-29017, CVE-2023-29199, CVE-2023-30547, CVE-2023-32314, CVE-2023-37466, and CVE-2023-37903.<\/p>\n

The discovery of CVE-2023-37903 in July 2023 also led Simek to announce that the project was being discontinued. However, these references have since been removed from the latest README file available on its GitHub repository after the project was resurrected late last year. The Security page has also been updated as of October 2025 to mention that vm2 3.x versions are being…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Critical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution https:\/\/thehackernews.com\/2026\/01\/critical-vm2-nodejs-flaw-allows-sandbox.html Publish Date: 2026-01-28…<\/p>\n","protected":false},"author":1,"featured_media":209128,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEir_Rl9Xy1aEtQBIw6aqscoEj4444e7H2BJLRbPSyqbi2DMtc22vTReAQM6ye0KR8pr1iBs4YA3KIdgfAvfBuIGBMrd7JYL5P9NNnNt6vgeD_B5GStVh1Bq5DzgnRsViE-z_dmkuGuhWTchwmk3ULxzq7_vVoUnKnwFaQtqVyCDf-oHiqBeiViqAlqdsGsi\/s1700-e365\/vm2.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,27],"class_list":["post-209127","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209127"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=209127"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209127\/revisions"}],"predecessor-version":[{"id":209129,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209127\/revisions\/209129"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/209128"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=209127"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=209127"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=209127"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}