{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22709", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-08T19:23:09.857Z", "datePublished": "2026-01-26T21:32:00.215Z", "dateUpdated": "2026-01-27T21:42:27.920Z"}, "containers": {"cna": {"title": "vm2 has a Sandbox Escape", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-913", "lang": "en", "description": "CWE-913: Improper Control of Dynamically-Managed Code Resources", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-693", "lang": "en", "description": "CWE-693: Protection Mechanism Failure", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8"}, {"name": "https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29", "tags": ["x_refsource_MISC"], "url": "https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29"}, {"name": "https://github.com/patriksimek/vm2/releases/tag/v3.10.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/patriksimek/vm2/releases/tag/v3.10.2"}], "affected": [{"vendor": "patriksimek", "product": "vm2", "versions": [{"version": "< 3.10.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-26T21:32:00.215Z"}, "descriptions": [{"lang": "en", "value": "vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.prototype.then` is not sanitized. The return value of async functions is `globalPromise` object. Version 3.10.2 fixes the issue."}], "source": {"advisory": "GHSA-99p7-6v5w-7xg8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T21:42:17.760812Z", "id": "CVE-2026-22709", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:42:27.920Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22709", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-27T21:42:17.760812Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:42:24.536Z"}}], "cna": {"title": "vm2 has a Sandbox Escape", "source": {"advisory": "GHSA-99p7-6v5w-7xg8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "patriksimek", "product": "vm2", "versions": [{"status": "affected", "version": "< 3.10.2"}]}], "references": [{"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8", "name": "https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29", "name": "https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/patriksimek/vm2/releases/tag/v3.10.2", "name": "https://github.com/patriksimek/vm2/releases/tag/v3.10.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.prototype.then` is not sanitized. The return value of async functions is `globalPromise` object. Version 3.10.2 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-913", "description": "CWE-913: Improper Control of Dynamically-Managed Code Resources"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693: Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-26T21:32:00.215Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22709", "state": "PUBLISHED", "dateUpdated": "2026-01-27T21:42:27.920Z", "dateReserved": "2026-01-08T19:23:09.857Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-26T21:32:00.215Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "CD4F9978-8CFB-4C45-8C2A-469413D81852", "versionEndExcluding": "3.10.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.prototype.then` is not sanitized. The return value of async functions is `globalPromise` object. Version 3.10.2 fixes the issue."}], "id": "CVE-2026-22709", "lastModified": "2026-02-17T20:59:29.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-26T22:15:55.890", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/patriksimek/vm2/releases/tag/v3.10.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-693"}, {"lang": "en", "value": "CWE-913"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T02:37:41.884735+00:00", "value": {"mitigation_remediation": ["Ensure all dependencies use vm2 version 3.10.2 or later by updating the package through npm or yarn.", "If an immediate upgrade is not feasible, audit the code paths that instantiate vm2 sandboxes and remove any usage of Promise chains or disable the Promise prototype within the sandbox configuration.", "As a temporary containment, restrict the sandbox to trusted code only and monitor for anomalous Promise activity until a patch can be applied."], "summary": {"action": "Patch Immediately", "impact": "Executing arbitrary code outside the vm2 sandbox"}, "threat_synthesis": {"affected_systems": "Any installation of the patriksimek:vm2 project on Node.js that uses a version earlier than 3.10.2 is subject to this flaw. The vulnerability is tied specifically to the vm2 sandbox component and does not affect other parts of the Node.js runtime unless they incorporate the unpatched vm2 dependency.", "description_and_impact": "vm2 provides an isolated environment for executing JavaScript code within Node.js. In versions prior to 3.10.2, the library sanitizes the callback of local Promise objects but not that of the global Promise prototype. As a result, an attacker can craft a Promise chain that bypasses the sanitization routine, causing code to run outside the intended sandbox boundaries. This vulnerability is an instance of improper resource limitation, contextual integrity violation, and command injection as identified by Common Weakness Enumerations 693, 913, and 94 respectively. The escalation enables unrestricted execution of malicious payloads, potentially compromising confidentiality, integrity, and availability of the host system.", "risk_and_exploitability": "The flaw carries a CVSS score of 9.8, indicating critical severity, while the EPSS suggests a very low, yet non-zero probability of exploitation (<1%). The vulnerability is not listed in the CISA KEV catalog. Exploitation would generally require an attacker to supply malicious JavaScript to a sandboxed environment, a scenario common in npm package execution or plugin systems. Once the unsanitized global Promise is invoked, the attacker gains control to execute arbitrary code on the host Node.js process."}}}}, "created": "2026-01-27T09:03:21.491098+00:00", "updated": "2026-04-18T02:45:27.280244+00:00", "vendors": ["patriksimek", "patriksimek$PRODUCT$vm2"]}