Vm2 · Vm2 · CVE-2026-22709
**Name of the Vulnerable Software and Affected Versions**
vm2 versions prior to 3.10.2
**Description**
vm2 is a Node.js library used to create sandboxed environments for executing untrusted code. A flaw exists in versions prior to 3.10.2 where the sanitization of `Promise.prototype.then` and `Promise.prototype.catch` callbacks can be bypassed. Specifically, while the callback function of `localPromise.prototype.then` is sanitized, `globalPromise.prototype.then` is not. Because async functions return a `globalPromise` object, this allows attackers to escape the sandbox and execute arbitrary code on the host system. The vulnerability can be exploited by crafting malicious JavaScript code that leverages the unsanitized `globalPromise` object to gain access to host system resources, such as executing commands via `child process`.
**Recommendations**
Upgrade to vm2 version 3.10.2 or later to address this vulnerability.