3.10.3
3.10.2
CVE-2026-22709 is a critical vulnerability affecting the vm2 Node.js module, specifically versions 3.10.0. This flaw allows attackers to bypass the intended sandbox restrictions and execute arbitrary code on the host system. The vulnerability stems from a flaw in the sanitization of callbacks used within Promise.prototype.then and Promise.prototype.catch. A fix is available in version 3.10.2.
The impact of CVE-2026-22709 is severe. Successful exploitation allows an attacker to completely compromise the Node.js process hosting the vulnerable application. This could lead to complete system takeover, data exfiltration, and the installation of malicious software. The ability to execute arbitrary code within the context of the Node.js process bypasses the intended security of the vm2 sandbox, rendering it ineffective. Attackers could leverage this to access sensitive data, modify application behavior, or pivot to other systems on the network. The provided proof-of-concept demonstrates the ability to execute shell commands, highlighting the critical nature of this vulnerability.
CVE-2026-22709 was publicly disclosed on January 26, 2026. A public proof-of-concept (PoC) is available, demonstrating the ease of exploitation. The vulnerability's severity and the availability of a PoC suggest a high probability of exploitation. It is not currently listed on CISA KEV, but given the critical CVSS score and public PoC, it is likely to be added. Active campaigns targeting this vulnerability are possible.
Applications utilizing the vm2 module for sandboxing, particularly those handling untrusted user input or executing third-party code, are at significant risk. This includes applications performing code evaluation, running untrusted scripts, or providing a scripting environment to users. Shared hosting environments where multiple applications share the same Node.js process are also particularly vulnerable, as a compromise of one application could lead to the compromise of others.
• nodejs / supply-chain:
Get-Process | Where-Object {$_.ProcessName -eq 'node'} | Select-Object -ExpandProperty CommandLine | Select-String -Pattern 'vm2'• nodejs / supply-chain:
Get-WinEvent -LogName Application -FilterXPath '//Event[System[Provider[@Name='Node.js Internal']] and EventData[Data[@Name='errorType']='uncaughtException']]'• generic web:
curl -I https://your-node-app.com/ | grep 'X-Powered-By: Node.js'disclosure
poc
patch
漏洞利用状态
EPSS
0.04% (13% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-22709 is to immediately upgrade to version 3.10.2 or later of the vm2 module. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and sanitization of data passed to the vm2 sandbox. While not a complete solution, this can reduce the attack surface. Web Application Firewalls (WAFs) configured to inspect and block malicious JavaScript payloads could offer some protection, but are not a substitute for patching. Monitor Node.js process logs for unusual activity or unexpected code execution. After upgrading, verify the fix by attempting to reproduce the exploit using the provided proof-of-concept code, ensuring it fails as expected.
升级 vm2 库到 3.10.2 或更高版本。此版本修复了沙箱逃逸漏洞。执行 `npm install vm2@latest` 或 `yarn add vm2@latest` 进行升级。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-22709 is a critical vulnerability in the vm2 Node.js module that allows attackers to bypass sandbox restrictions and execute arbitrary code, potentially leading to complete system compromise.
If you are using vm2 version 3.10.0, you are vulnerable. Upgrade to version 3.10.2 or later to mitigate the risk.
The recommended fix is to upgrade to version 3.10.2 or later of the vm2 module. If immediate upgrade is not possible, implement stricter input validation and sanitization.
While there is no confirmed widespread exploitation, the availability of a public proof-of-concept suggests a high probability of exploitation and active campaigns are possible.
Refer to the vm2 project's repository and release notes for the official advisory and details on the fix: [https://github.com/vm2/vm2](https://github.com/vm2/vm2)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。