Critical sandbox escape flaw found in popular vm2 NodeJS library
Recorded: Jan. 27, 2026, 6 p.m.
| Original | Summarized |
Critical sandbox escape flaw found in popular vm2 NodeJS library News Featured New ClickFix attacks abuse Windows App-V scripts to push malware Microsoft patches actively exploited Office zero-day vulnerability Nearly 800,000 Telnet servers exposed to remote attacks Cloudflare misconfiguration behind recent BGP route leak OpenAI's ChatGPT ad costs are on par with live NFL broadcasts Fortinet blocks exploited FortiCloud SSO zero day until patch is ready Chinese Mustang Panda hackers deploy infostealers via CoolClient backdoor WinRAR path traversal flaw still exploited by numerous hackers Tutorials Latest How to access the Dark Web using the Tor Browser How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to use the Windows Registry Editor How to backup and restore the Windows Registry How to start Windows in Safe Mode How to remove a Trojan, Virus, Worm, or other Malware How to show hidden files in Windows 7 How to see hidden files in Windows Webinars Latest Qualys BrowserCheck STOPDecrypter AuroraDecrypter FilesLockerDecrypter AdwCleaner ComboFix RKill Junkware Removal Tool Deals Categories eLearning IT Certification Courses Gear + Gadgets Security VPNs Popular Best VPNs How to change IP address Access the dark web safely Best VPN for YouTube Forums Virus Removal Guides HomeNewsSecurityCritical sandbox escape flaw found in popular vm2 NodeJS library Critical sandbox escape flaw found in popular vm2 NodeJS library By Bill Toulas January 27, 2026 A critical-severity vulnerability in the vm2 Node.js sandbox library, tracked as CVE-2026-22709, allows escaping the sandbox and executing arbitrary code on the underlying host system. Last October, maintainer Patrik Šimek decided to resurrect the vm2 project and release version 3.10.0 that addressed all vulnerabilities known at the time and "still compatible all the way back to Node 6." The published exploit snippetSource: GitHub Secrets Security Cheat Sheet: From Sprawl to Control Related Articles: Library Bill Toulas Previous Article Post a Comment Community Rules You need to login in order to post a comment You may also like: Popular Stories Microsoft patches actively exploited Office zero-day vulnerability Microsoft investigates Windows 11 boot failures after January updates Microsoft releases emergency OOB update to fix Outlook freezes Sponsor Posts Exposure Management Index: Insights From 3,000+ Teams. Get The Report. Overdue a password health-check? Audit your Active Directory for free Get a free shadow AI inventory today Discover how phishing kits are sold and deployed. Download the full research report. Is your data already on a leak site? Monitor your exposure threats for free. Upcoming Webinar Follow us: Main Sections News Community Forums Useful Resources Welcome Guide Company About BleepingComputer Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... |
A critical security vulnerability, tracked as CVE-2026-22709, has been identified within the vm2 Node.js sandbox library, presenting a significant risk of sandbox escape and arbitrary code execution on the host system. The vulnerability stems from the inadequate sanitization of Promises and their associated callbacks, specifically the `.then()` and `.catch()` methods, within vm2’s Promise implementation. While Patrik Šimek resurrected the project following repeated sandbox escape flaws, the core issue persisted. The vulnerability allows an attacker to bypass the intended security boundaries of the sandbox environment. This bypass occurs because vm2 sanitizes callbacks attached to its internal Promise implementation, yet fails to correctly sanitize the global Promises returned by `async` functions. Consequently, the `.then()` and `.catch()` callbacks attached to these global Promises are vulnerable. Šimek demonstrated the exploit through a published GitHub code snippet, effectively showcasing the ease with which the vulnerability can be triggered. The issue has a documented history, with prior critical vulnerabilities including CVE-2022-36067 (disclosed by Oxeye researchers) and CVE-2023-29017 and CVE-2023-30547, all enabling sandbox escape and host system command execution. Šimek states that all disclosed vulnerabilities are now addressed in the current version of vm2 (3.10.3). The root cause lies in the library’s reliance on sanitizing callbacks within its own internal Promise implementation, while neglecting to sanitize the global Promises returned by `async` functions. The presence of `.then()` and `.catch()` callbacks on these global Promises provides the avenue for exploitation. Patrik Šimek’s original decision to revive the project, while intending to address the issues, inadvertently preserved the exploitable core of the library. The widespread use of vm2, with over 200,000 projects utilizing it on GitHub and a weekly download count of approximately one million, amplifies the potential impact of this vulnerability. Users are strongly advised to upgrade to the latest version (3.10.3) without delay. The ease of exploitation, as demonstrated by the published code snippet, underscores the urgency of remediation. The legacy of previous vulnerabilities further emphasizes the need for vigilance within projects leveraging the vm2 library, particularly those using older versions. |