Platform
nodejs
Component
vm2
Fixed in
3.10.3
3.10.3
3.10.2
CVE-2026-22709 is a critical vulnerability affecting the vm2 Node.js module, specifically versions 3.10.0. This flaw allows attackers to bypass the intended sandbox restrictions and execute arbitrary code on the host system. The vulnerability stems from a flaw in the sanitization of callbacks used within Promise.prototype.then and Promise.prototype.catch. A fix is available in version 3.10.2.
The impact of CVE-2026-22709 is severe. Successful exploitation allows an attacker to completely compromise the Node.js process hosting the vulnerable application. This could lead to complete system takeover, data exfiltration, and the installation of malicious software. The ability to execute arbitrary code within the context of the Node.js process bypasses the intended security of the vm2 sandbox, rendering it ineffective. Attackers could leverage this to access sensitive data, modify application behavior, or pivot to other systems on the network. The provided proof-of-concept demonstrates the ability to execute shell commands, highlighting the critical nature of this vulnerability.
CVE-2026-22709 was publicly disclosed on January 26, 2026. A public proof-of-concept (PoC) is available, demonstrating the ease of exploitation. The vulnerability's severity and the availability of a PoC suggest a high probability of exploitation. It is not currently listed on CISA KEV, but given the critical CVSS score and public PoC, it is likely to be added. Active campaigns targeting this vulnerability are possible.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-22709 is to immediately upgrade to version 3.10.2 or later of the vm2 module. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and sanitization of data passed to the vm2 sandbox. While not a complete solution, this can reduce the attack surface. Web Application Firewalls (WAFs) configured to inspect and block malicious JavaScript payloads could offer some protection, but are not a substitute for patching. Monitor Node.js process logs for unusual activity or unexpected code execution. After upgrading, verify the fix by attempting to reproduce the exploit using the provided proof-of-concept code, ensuring it fails as expected.
Update the vm2 library to version 3.10.2 or higher. This version fixes the sandbox escape vulnerability. Run `npm install vm2@latest` or `yarn add vm2@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22709 is a critical vulnerability in the vm2 Node.js module that allows attackers to bypass sandbox restrictions and execute arbitrary code, potentially leading to complete system compromise.
If you are using vm2 version 3.10.0, you are vulnerable. Upgrade to version 3.10.2 or later to mitigate the risk.
The recommended fix is to upgrade to version 3.10.2 or later of the vm2 module. If immediate upgrade is not possible, implement stricter input validation and sanitization.
While there is no confirmed widespread exploitation, the availability of a public proof-of-concept suggests a high probability of exploitation and active campaigns are possible.
Refer to the vm2 project's repository and release notes for the official advisory and details on the fix: [https://github.com/vm2/vm2](https://github.com/vm2/vm2)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.