CRITICAL🇵🇱 Wersja polska

CVE-2026-22709

CVSS 9.8v3.1pub. 2026-01-26upd. 2026-02-17

vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.prototype.then` is not sanitized. The return value of async functions is `globalPromise` object. Version 3.10.2 fixes the issue.

🤖 AI Analysis
How it works

In the lib/setup-sandbox.js file, sanitization of callbacks is applied only to `localPromise.prototype.then` and `localPromise.prototype.catch`, while the equivalents on the `globalPromise` object remain unprotected. Since asynchronous functions (async) return a `globalPromise` object, an attacker can pass an unsanitized callback through the Promise mechanism, bypassing sandbox protection. This enables execution of arbitrary JavaScript code outside the isolated vm2 context.

Impact

An attacker can completely escape from the vm2 sandbox and execute arbitrary code in the context of the host Node.js process, potentially leading to full server compromise, data theft, and violation of system integrity and availability.

Mitigation & patch

Update the vm2 library to version 3.10.2, which fixes the described vulnerability. The patch is available in the official GitHub repository of the project (tag v3.10.2).

Who is affected

vm2 (Vm2 Project) in all versions before 3.10.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Vm2 Project Vm2

    APP
    Vm2 Project
    < 3.10.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-44005CRITICAL10.0PL ✓ten sam produkt

vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)

CVE-2026-44006CRITICAL10.0PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez BaseHandler.getPrototypeOf (RCE)

CVE-2026-43997CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandboxa w bibliotece vm2 dla Node.js (RCE)

CVE-2026-43999CRITICAL9.9PL ✓ten sam produkt

vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'

CVE-2026-44007CRITICAL9.1PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)