The widely used vm2 Node.js library has been found to have a critical sandbox escape vulnerability that, if successfully exploited, could enable attackers to run arbitrary code on the underlying operating system This article explores vm2 node js. . The vulnerability, identified as CVE-2026-22709, has a CVSS score of 9.8 out of 10.0.

"Promise.prototype.then Promise.prototype in VM2 for version 3.10.0.It is possible to get around catch callback sanitization, according to VM2 maintainer Patrik Simek. "This enables attackers to run arbitrary code and get out of the sandbox." By intercepting and proxying JavaScript objects to keep sandboxed code from accessing the host environment, the Node.js library vm2 allows untrusted code to run in a secure sandboxed environment.

The recently identified vulnerability is caused by the library's inadequate sanitization of Promise handlers, which generates an escape vector that allows arbitrary code to be executed outside of the sandbox boundaries. The crucial realization is that JavaScript async functions return `globalPromise` objects rather than `localPromise` objects. Peyton Kennedy and Cris Staicu, researchers at Endor Labs, stated that because `globalPromise.prototype.then` and `globalPromise.prototype.catch` are not adequately sanitized (unlike `localPromise`)," Although vm2 version 3.10.2 has fixed CVE-2026-22709, it is the most recent of several sandbox escapes that have afflicted the library in recent years.

CVE-2022-36067, CVE-2023-29017, CVE-2023-29199, CVE-2023-30547, CVE-2023-32314, CVE-2023-37466, and CVE-2023-37903 are among them. In July 2023, Simek announced the project's termination due to the discovery of CVE-2023-37903.

The most recent README file on its GitHub repository, however, no longer includes these references. As of October 2025, the Security page has also been updated to reflect the active maintenance of VM2 3.x versions. The maintainer of vm2 has acknowledged that new bypasses will probably be found in the future, so users are advised to keep the library updated and think about other reliable options, like isolated-vm, for stronger isolation guarantees.

"The successor to vm2, isolated-vm, relies on V8's native Isolate interface instead of the problematic vm model, which offers a more solid foundation, but even then, the maintainers of vm2 stress the importance of isolation and actually recommend Docker with logical separation between components," Semgrep stated. Users are advised to update to the latest version (3.10.3), which includes fixes for additional sandbox escapes, due to the criticality of the flaw.