CVE-2026-22709 – This vulnerability in vm2 sandbox for Node.js a... (How to Fix)

📋 TL;DR

This vulnerability in vm2 sandbox for Node.js allows attackers to bypass Promise callback sanitization and escape the sandbox environment. Attackers can execute arbitrary code on the host system with the privileges of the Node.js process. Any application using vulnerable versions of vm2 is affected.

💻 Affected Systems

Products:

vm2

Versions: All versions prior to 3.10.2

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any Node.js application using vm2 sandbox functionality is vulnerable regardless of configuration.

📦 What is this software?

Vm2 by Vm2 Project

View all CVEs affecting Vm2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Node.js host system, allowing arbitrary code execution, data exfiltration, and lateral movement within the environment.

🟠

Likely Case

Remote code execution on the affected Node.js server, potentially leading to data theft, service disruption, or further system compromise.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are implemented, though sandbox escape still poses significant risk.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is well-documented with public proof-of-concept available in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.10.2

Vendor Advisory: https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8

Restart Required: Yes

Instructions:

1. Update vm2 dependency to version 3.10.2 or later
2. Run 'npm update vm2' or 'yarn upgrade vm2'
3. Restart all Node.js applications using vm2
4. Verify the update with 'npm list vm2'

🔧 Temporary Workarounds

Disable vm2 usage

all

Temporarily disable or remove vm2 sandbox functionality from applications

npm uninstall vm2
yarn remove vm2

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected systems
Apply least privilege principles to Node.js processes running vm2

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list vm2' to see if version is below 3.10.2

Check Version:

npm list vm2 | grep vm2

Verify Fix Applied:

Verify vm2 version is 3.10.2 or higher with 'npm list vm2'

📡 Detection & Monitoring

Log Indicators:

Unusual Node.js process behavior
Sandbox escape attempts in application logs
Unexpected child process creation

Network Indicators:

Unexpected outbound connections from Node.js processes
Command and control traffic patterns

SIEM Query:

process.name:node.exe AND (process.args:*vm2* OR process.args:*sandbox*)

📊 Metadata

CVE ID: CVE-2026-22709

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: January 26, 2026

Last Updated: February 17, 2026

🔗 References

https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29 Patch
https://github.com/patriksimek/vm2/releases/tag/v3.10.2 Product,Release Notes
https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22709, you might also want to check these: