CVE-2026-22709

Summary

vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of localPromise.prototype.then is sanitized, but globalPromise.prototype.then is not sanitized. The return value of async functions is globalPromise object. Version 3.10.2 fixes the issue.

Affected Software

VendorProductVersion RangeStatus
patriksimekvm2< 3.10.2affected

Weaknesses

  • CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')
  • CWE-913: CWE-913: Improper Control of Dynamically-Managed Code Resources
  • CWE-693: CWE-693: Protection Mechanism Failure

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References