The Async Escape: Critical 9.8 Flaw in vm2 Turns JavaScript Sandboxes Into Open Gateways

A critical sandbox escape vulnerability has been unearthed within the vm2 library—a utility frequently employed as a JavaScript sanctuary for the execution of untrusted code within Node.js. This flaw, designated as CVE-2026-22709 with a formidable CVSS score of 9.8, permits an adversary to orchestrate Remote Code Execution (RCE) on the host system, effectively transmuting a fortified enclosure into an open portal.

The essence of this defect resides within the handling of Promises. While vm2 incorporates a mechanism to “sanitize” callbacks for Promise.prototype.then and Promise.prototype.catch, this defensive layer was inconsistently applied. Within lib/setup-sandbox.js, the remediation successfully addressed localPromise.prototype.then, yet left globalPromise.prototype.then susceptible to circumvention. Given that async functions return a globalPromise, a sophisticated actor could exploit this disparity to transcend isolation and execute commands directly upon the host architecture.

According to the GitHub Security Advisory, the vulnerability afflicts all iterations of vm2 up to and including 3.10.2 (specifically within the 3.10.x lineage), with a definitive resolution introduced in version 3.10.3. While various reports cite a broader spectrum of affected versions, the most prudent security posture is to treat all releases antecedent to 3.10.3 as inherently compromised.

For development teams utilizing vm2—whether as a primary or transitive dependency—it is imperative to migrate to version 3.10.3 without delay. This iteration incorporates auxiliary safeguards specifically designed to thwart bypasses involving Symbols and Promise structures. Following the upgrade, a meticulous audit of the dependency tree (facilitated by commands such as npm list vm2) is highly recommended. Furthermore, security analysts suggest that organizations should evaluate more robust isolation alternatives, such as process-level or container-based segregation, particularly when the threat model involves the execution of high-risk, third-party JavaScript.