A critical vulnerability in the vm2 JavaScript sandbox library (versions ≤ 3.10.0) enables attackers to bypass sandbox protections and execute arbitrary code with full system privileges.
The flaw exploits improper sanitization of Promise callback functions, allowing remote code execution without authentication or user interaction.
Vulnerability Overview
The vm2 library, deployed across 273,000 projects on npm, is designed to safely execute untrusted code in isolated environments.
However, the identified flaw by researcher patriksimek, undermines this core security guarantee through a Promise-based sandbox escape technique.
| Property | Value |
|---|---|
| CVE ID | CVE-2026-22709 |
| Advisory | GHSA-99p7-6v5w-7xg8 |
| Package | vm2 (npm) |
| Affected Versions | ≤ 3.10.0 |
| Patched Version | 3.10.2 |
| Type | Sandbox Escape |
| CVSS Score | 9.8 / 10 |
Attackers can leverage async function return values to access unsanitized Promise.prototype.then callbacks, bypassing the intended sanitization layer implemented in lib/setup-sandbox.js.
The vulnerability stems from inconsistent callback sanitization across Promise implementations.
While localPromise.prototype.then callbacks receive proper sanitization checks, the globalPromise object returned by async functions bypasses these protections entirely.
Attackers exploit this inconsistency by constructing error objects with Symbol properties that trigger async function execution, exposing the unsanitized globalPromise.prototype.then method.
Once this bypass succeeds, attackers gain direct access to the Error constructor’s Function prototype, enabling instantiation of arbitrary code execution.
This allows remote code execution through child_process module invocation or direct system command execution without any restrictions.
The critical severity reflects full system compromise risks. Applications using vm2 to execute untrusted code including plugin systems, template sandboxes, and security analysis platforms face immediate exploitation risk.
The attack requires no authentication, user interaction, or elevated privileges, making it trivial to weaponize at scale.
Organizations must immediately update vm2 to version 3.10.2 or later. The patch properly sanitizes globalPromise.prototype.then callbacks, closing the exploitation chain. No workarounds mitigate the vulnerability; patching is mandatory for secure operation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.