CriticalPublic exploit

Sandbox escape in vm2 Promise callback sanitization

IdentifiersCVE-2026-22709CWE-693· Protection Mechanism Failure

CVE-2026-22709 is a critical sandbox escape vulnerability in the vm2 Node.js sandbox library. In vm2 prior to 3.10.2, Promise callback sanitization can be bypassed because vm2 sanitizes callbacks on its local Promise handling path but does not correctly sanitize the global Promise path used by async functions. Specifically, in lib/setup-sandbox.js, localPromise.prototype.then is sanitized, while globalPromise.prototype.then/.catch handling is insufficient; async functions return globalPromise objects, creating a path where attacker-controlled callbacks can receive unsanitized host objects. Supporting analysis also indicates the vulnerable implementation used Function.prototype.call in global Promise handler paths, which could be intercepted by attacker-controlled code; the fix replaced this with Reflect.apply. Successful exploitation allows code running inside the vm2 sandbox to break isolation, recover host-realm objects, reach the Function constructor, and execute arbitrary code in the underlying Node.js host environment.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation results in complete sandbox escape and arbitrary code execution on the underlying host running Node.js. An attacker able to execute untrusted JavaScript inside vm2 can access host-realm objects, pivot to the Function constructor, and run operating system commands via Node.js primitives such as child_process. This can lead to full compromise of the hosting process and, depending on deployment privileges, theft of secrets, modification of application state, lateral movement, and service disruption.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, do not treat vm2 as a sufficient security boundary for untrusted code. Avoid executing untrusted JavaScript in vm2 where feasible. Where use cannot be eliminated immediately, run the sandboxed workload inside a strongly isolated environment such as a dedicated container or VM with minimal privileges, no sensitive filesystem mounts or credentials, restricted network/egress, and host hardening controls such as seccomp, AppArmor, or SELinux. Apply defense in depth and assume sandbox escape is possible.

Remediation

Patch, then assume compromise.

Upgrade vm2 to version 3.10.2 or later, which fixes CVE-2026-22709. The provided content specifically identifies 3.10.2 as the version that addresses the Promise callback sanitization flaw, and some sources further recommend moving to the latest available vm2 release for additional fixes beyond this CVE. If vm2 remains deployed, review all applications and dependencies that invoke vm2 entry points for untrusted code execution and redeploy with the patched version.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Vm2 ProjectVm2application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

48 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

48 SOURCESView more in app

cvefeed high severityNews

May 13, 2026

CVE-2026-44001 - vm2: Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)

A prior vm2 vulnerability whose fix was incomplete, leaving an additional executor-to-unhandledRejection path unaddressed.

the hacker newsNews

May 7, 2026

vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution

A previously disclosed critical vm2 sandbox escape flaw that could lead to arbitrary code execution on the host system.

zeropath blogNews

May 4, 2026

vm2 Sandbox Escape via WebAssembly JSTag (CVE-2026-26956): Technical Breakdown with Public PoC - ZeroPath Blog | ZeroPath

A prior critical vm2 sandbox escape in vm2 3.10.0 caused by a gap in Promise callback sanitization, enabling arbitrary code execution.

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

vm2 sandbox escape leading to arbitrary code execution on the host OS.

+8 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity36

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-22709

NVD

nvd.nist.gov/vuln/detail/CVE-2026-22709

MITRE CWE · CWE-693

Protection Mechanism Failure

Patch

github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29

Vendor Advisory

github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8

Release Notes

github.com/patriksimek/vm2/releases/tag/v3.10.2