Summary : A critical sandbox escape vulnerability has been found in the vm2 Node.js library, a popular tool used to execute untrusted JavaScript code in isolated environments.

Severity	Critical
CVSS Score	9.8
CVEs	CVE-2026-22709
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview 

This vulnerability allows attackers to bypass sandbox restrictions and execute arbitrary code on the host operating system. The vulnerability stems from improper sanitization of Promise handlers, enabling malicious code to escape the vm2 sandbox. Organizations using vm2 are strongly advised to update immediately, as exploitation could result in full system compromise. 

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Sandbox Escape via Promise Handler Sanitization Bypass	CVE-2026-22709	vm2 Node.js Library <= v3.10.0	Critical	v3.10.2+

Technical Summary 

The vulnerability in vm2 arises from improper sanitization of Promise.prototype.then and Promise.prototype.catch handlers, which can be bypassed during asynchronous execution. JavaScript async functions return global Promise objects that are not correctly isolated within the vm2 sandbox, allowing malicious code to escape security boundaries. By exploiting, attackers can execute arbitrary commands directly on the host operating system outside the sandbox environment. This breaks vm2’s core isolation mechanism and can lead to full system compromise, data theft, and persistent unauthorized access. 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2026-22709	vm2 Node.js Library <= v3.10.0	Improper Promise callback sanitization enables sandbox escape and host code execution.	Arbitrary code execution, System compromise

Remediation:  

Upgrade immediately to vm2 product with the patched versions v3.10.2 and later 

If immediate patching is not possible, apply the following temporary mitigations- 

1. Avoid executing untrusted code where vm2 is used 

2. Restrict application privileges to least required access  

3. Monitor for suspicious processes or unexpected system commands 

Conclusion: 
This vulnerability represents a critical risk to applications relying on vm2 for secure code isolation. The vulnerability enables sandbox escape and arbitrary code execution, potentially leading to full system compromise. Organizations should patch immediately but also reassess isolation strategies for untrusted code execution. 

References:  

https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8

https://thehackernews.com/2026/01/critical-vm2-nodejs-flaw-allows-sandbox.html