CVE-2026-22709

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.10.2

Description vm2 is a Node.js library used to create sandboxed environments for executing untrusted code. A flaw exists in versions prior to 3.10.2 where the sanitization of Promise.prototype.then and Promise.prototype.catch callbacks can be bypassed. Specifically, while the callback function of localPromise.prototype.then is sanitized, globalPromise.prototype.then is not. Because async functions return a globalPromise object, this allows attackers to escape the sandbox and execute arbitrary code on the host system. The vulnerability can be exploited by crafting malicious JavaScript code that leverages the unsanitized globalPromise object to gain access to host system resources, such as executing commands via child process.

Recommendations Upgrade to vm2 version 3.10.2 or later to address this vulnerability.