Critical vm2 Sandbox Escape via Promise Callback Sanitization Bypass
A critical sandbox-escape vulnerability in the popular Node.js sandbox library vm2 allows attackers to bypass isolation and execute arbitrary code on the host. Tracked as CVE-2026-22709 (CVSS v3.1 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the issue stems from incomplete sanitization of Promise.prototype.then/Promise.prototype.catch callbacks in lib/setup-sandbox.js: local promise callbacks are sanitized, but global promise callbacks are not, and async functions return a globalPromise object that can be abused to reach unsanitized paths.
Public technical details describe an exploitation chain where an attacker leverages the unsanitized global promise catch behavior to obtain an error object’s constructor, traverse the prototype chain to the Function constructor, and then execute code outside the sandbox (including loading Node modules such as child_process to run system commands). The vulnerability affects vm2 versions prior to 3.10.2 (with some reporting noting exposure through 3.10.0 and below), and vm2 3.10.2 is identified as the fix; organizations running untrusted code via vm2 should prioritize upgrading and review any services that rely on vm2 for isolation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Maintainers and media urge upgrades to vm2 3.10.3
After disclosure and the 3.10.2 fix, reporting highlighted vm2 3.10.3 as the latest recommended release, with claims it includes additional or all disclosed sandbox-escape fixes. Users were advised to upgrade beyond vulnerable versions immediately.
Technical analyses and PoCs detail arbitrary code execution path
Subsequent reporting published exploit details showing how attackers could abuse unsanitized global Promise behavior, traverse to the Function constructor, and execute host commands such as via child_process.execSync. Multiple sources described proof-of-concept exploit chains and working demonstrations.
CVE-2026-22709 is publicly disclosed as a critical vm2 sandbox escape
The vulnerability was publicly disclosed as CVE-2026-22709, affecting vm2 and allowing attackers to escape the Node.js sandbox and execute arbitrary code on the host. Reports describe the root cause as incomplete sanitization of Promise.prototype.then and Promise.prototype.catch when async functions return global Promise objects.
vm2 3.10.2 fully fixes CVE-2026-22709
The vm2 maintainers released version 3.10.2 to fully address CVE-2026-22709, a sandbox escape caused by improper sanitization of Promise callback handling. The fix covers affected versions prior to 3.10.2 and is referenced by the release tag, fixing commit, and GitHub Security Advisory.
vm2 3.10.1 partially fixes the sandbox escape flaw
A partial mitigation for the vm2 sandbox escape vulnerability was released in version 3.10.1, but the issue was not fully resolved. Later reporting states the flaw remained exploitable until a subsequent release.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Dissecting CVE-2026-22709: The Zombie Exploit in Node.js vm2 - TheCyberThrone
thecyberthrone.in
Open sourceCritical vm2 vulnerability allows sandbox escape and arbitrary code execution | SC Media
scworld.com
Open sourceCritical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution
thehackernews.com
Open sourceCritical Vulnerability in VM2 Sandbox Library for Node.js Let Attackers run Untrusted Code
cybersecuritynews.com
Open sourceCritical bug in popular vm2 Node.js sandboxing library puts projects at risk | CSO Online
csoonline.com
Open sourceCVSS 9.8 Sandbox Escape: Critical vm2 Flaw Exposes Millions of Apps
securityonline.info
Open sourceCVE-2026-22709 - vm2 has a Sandbox Escape
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Critical vm2 Sandbox Escapes Enable Host RCE in Node.js Environments
The `vm2` Node.js sandboxing library was hit by a wave of critical sandbox-escape vulnerabilities that let attackers executing untrusted JavaScript break out and run arbitrary commands on the host. Reported flaws include CVE-2026-24120, which bypasses an earlier Promise-species mitigation to reach the host `Function` constructor; CVE-2026-24118, which abuses `__lookupGetter__`, `Buffer.apply`, and prototype traversal; CVE-2026-24781, which leverages `inspect` proxy unwrapping; CVE-2026-26332, which pivots through `SuppressedError`; and CVE-2026-26956, which uses WebAssembly `JSTag` exception handling on Node.js 25+. Across the advisories, affected versions span the `3.10.x` branch and earlier, with several issues requiring only the ability to submit code to a vm2 instance and no authentication or user interaction. The project responded with security releases `v3.10.5` and `v3.11.0`, with `v3.11.0` closing 13 advisories including sandbox escapes, denial-of-service bugs, information disclosure, and prototype pollution. Maintainers also patched a separate `NodeVM` issue tracked as `GHSA-m4wx-m65x-ghrr`, where enabling `nesting: true` with omitted or falsy `require` settings could expose the `vm2` package inside the sandbox and lead to host remote code execution. The releases added broader hardening measures such as `bufferAllocLimit`, stricter handling of dangerous built-ins, and filesystem checks, while maintainers warned that organizations using vm2 to run fully untrusted code should upgrade immediately and avoid treating in-process JavaScript sandboxing as a sole security boundary.
Jun 12, 2026
Multiple Critical vm2 Sandbox Escapes Enable Host RCE in Node.js
A wave of disclosures has exposed multiple critical flaws in the Node.js sandbox library **vm2**, showing that untrusted JavaScript can break out of the sandbox and execute commands on the host. GitHub advisories describe several distinct escape paths affecting versions as old as `3.9.6` and, in some cases, up to `3.11.3`, including a breakout through Node.js `inspect`, a Promise species bypass that defeats an earlier patch, prototype pollution through vm2’s bridge to host intrinsic prototypes, and a `NodeVM` misconfiguration path where `nesting: true` lets code bypass `require: false` and load `vm2` recursively to reach modules such as `child_process`. Public proof-of-concepts show attackers recovering the host `process` object and invoking host commands, turning vm2 from a containment boundary into a route to full host compromise. Additional reporting and upstream changes indicate the problems are broader than a single bug. Semgrep documented a new sandbox escape, while vm2 maintainers added regression tests covering descriptor- and prototype-traversal techniques used to recover host constructors such as `Function`, `AsyncFunction`, and `GeneratorFunction`, as well as callback sanitization bypasses tied to Promise handling. A later roundup described five critical vulnerabilities with no practical configuration-based workaround for deployments that execute untrusted code, and urged upgrades to **vm2 `3.11.4` or later**. The advisory backlog on the project’s GitHub page shows a concentrated set of newly published sandbox escape, builtin bypass, and host code execution issues, underscoring that organizations relying on vm2 for isolation should treat affected environments as potentially compromised.
May 25, 2026
Critical vm2 Sandbox Escapes Expose Node.js Hosts to Arbitrary Code Execution
Researchers disclosed a broad set of critical flaws in the `vm2` Node.js sandbox library that allow untrusted JavaScript to break isolation and execute arbitrary code on the host system. Reports describe 11 to 12 vulnerabilities affecting versions across the `3.9.6` to `3.11.1` range, with most rated `CVSS 9.8` to `10.0`, and impacting core protections such as built-in allowlists, object handling, prototype traversal, Promise species behavior, `util.inspect`, `Module._load()`, WebAssembly exception handling, and unsafe `nesting: true` configurations. One tracked issue, **CVE-2026-24118**, is a sandbox breakout through `__lookupGetter__` in versions prior to `3.11.0`, enabling host-level command execution with no privileges or user interaction. The disclosures reinforce long-running concerns that `vm2`'s JavaScript-only isolation model is not dependable for high-risk use cases such as multi-tenant code execution, plugin evaluation, automated grading, and serverless workloads. While some reports recommend upgrading to **vm2 `3.11.2`** for the latest protections, others note that **CVE-2026-44008** and **CVE-2026-44009** remain unpatched and argue that organizations handling untrusted code should consider stronger isolation boundaries such as containers or microVMs. Successful exploitation could expose environment variables, credentials, and files, and enable full compromise of the underlying Node.js host and potential lateral movement.
May 15, 2026