CVE-2026-22709

Description

vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.prototype.then` is not sanitized. The return value of async functions is `globalPromise` object. Version 3.10.2 fixes the issue.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

patriksimek / vm2< 3.10.2 – < 3.10.2

References

VENDOR_ADVISORYhttps://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8
PATCHhttps://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29
PATCHhttps://github.com/patriksimek/vm2/releases/tag/v3.10.2