CVE-2026-22709: Critical vm2 Sandbox Flaw Lets Untrusted JavaScript Break Free and Execute Code on Host Systems

CVE-2026-22709 – vm2 Node.js Sandbox Escape

Vulnerability Overview

CVE ID: CVE-2026-22709
Affected Component: vm2 (Node.js JavaScript sandbox)
Vulnerability Type: Sandbox Escape leading to Arbitrary Code Execution
CVSS v3.1 Score: 9.8 (Critical)
Severity: Critical
Attack Complexity: Low
Privileges Required: None (beyond ability to execute code inside vm2)
User Interaction: Not required
Impact: Full compromise of the Node.js process and underlying host

Official Patch / Upgrade: Link provided below

Description

A critical security vulnerability was identified in the vm2 sandbox library used for executing untrusted JavaScript code in Node.js environments. The issue allows malicious JavaScript running inside the sandbox to escape its restricted environment and execute arbitrary code on the host system.

The vulnerability exists due to inconsistent sanitization of Promise objects and their callback mechanisms. While vm2 applied security controls to its internally scoped Promise implementation, async functions returned a globally scoped Promise object that was not fully sanitized. This discrepancy created an execution path where attacker-controlled callbacks were executed in a privileged host context.

Once the sandbox boundary was crossed, access to host-level JavaScript constructors such as Function became possible. From there, arbitrary code execution could be achieved, including access to Node.js core modules and operating system commands.

Affected Versions

All vm2 versions up to and including 3.10.1 are affected.

The vulnerability has been fully addressed in vm2 version 3.10.2, where Promise handling and callback sanitization logic were corrected to eliminate the sandbox escape vector.

Technical Root Cause

The vulnerability was caused by a design flaw in how vm2 handled asynchronous execution contexts:

vm2 maintained a locally scoped Promise implementation intended to restrict access to unsafe host objects.
Async JavaScript functions, by specification, returned a Promise object derived from the global execution context rather than vm2’s internal Promise.
The global Promise prototype and its callback execution path were not sanitized to the same degree as the sandboxed Promise.
By crafting malicious Promise chains and overriding prototype behaviors (such as Function.prototype.call), attacker-supplied callbacks were invoked with access to unsanitized host references.
This allowed privileged objects such as Function, Error, or Node.js internals to be accessed and abused.

The end result was execution of attacker-controlled code outside the intended sandbox boundary.

Exploitation Details (Educational)

Public proof-of-concept exploits have been released for educational and research purposes demonstrating:

Promise-based callback manipulation
Recovery of host constructors
Escalation from sandboxed execution to system-level command execution

These demonstrations show that exploitation is reliable and repeatable when vulnerable versions of vm2 are used. No memory corruption or race conditions are involved, making the exploit stable across environments.

Impact

Successful exploitation allows:

Arbitrary command execution on the host system
Access to filesystem contents
Network communication under the Node.js process identity
Complete compromise of applications relying on vm2 for isolation
Potential lateral movement if the service runs with elevated privileges

Any environment that executes user-supplied or dynamically generated JavaScript using vm2 is considered high risk until patched.

Detection Strategy

Log Sources to Monitor

The following log sources are essential for detection:

Operating system process creation logs (Linux auditd, Windows Sysmon)
Endpoint Detection and Response (EDR) telemetry
Application logs for sandbox execution
Container runtime logs (Docker / Kubernetes)
CI/CD dependency scanning logs

Behavioral Indicators of Compromise

The following behaviors should be considered suspicious:

Node.js processes spawning shell binaries
Node.js processes invoking system utilities unexpectedly
Sudden outbound network connections from sandbox services
Runtime usage of Function, eval, or child_process in sandboxed contexts
Error logs referencing host paths or native modules from sandbox code

Sample Detection Rules

Sigma Rule

title: Node.js Spawning Shell from Sandbox Context
id: cve-2026-22709-node-shell
status: experimental
description: Detects Node.js processes spawning OS shells, which may indicate sandbox escape
logsource:
  product: linux
  service: auditd
detection:
  selection:
    ParentImage|endswith: "node"
    Image|endswith:
      - "sh"
      - "bash"
      - "dash"
      - "cmd.exe"
      - "powershell.exe"
  condition: selection
level: high

Splunk Query

index=os OR index=sysmon
ParentImage="*node*"
(Image="*sh" OR Image="*bash" OR Image="*cmd.exe" OR Image="*powershell.exe")
| stats count by host, ParentImage, Image, CommandLine, User

This query identifies Node.js processes launching shell interpreters, which is a strong indicator of sandbox escape or arbitrary code execution.

Repository and Build-Time Detection

Manual Repository Scan

To identify vulnerable usage:

grep -R "\"vm2\"" .

If vm2 is present, confirm the version. Any version ≤ 3.10.1 should be considered vulnerable.

CI/CD Hard-Fail Example

if grep -R "\"vm2\": \"3.10.1\"" package.json package-lock.json; then
  echo "ERROR: Vulnerable vm2 version detected. Upgrade required."
  exit 1
fi

Ready-to-Apply CodeQL Query

The following CodeQL query detects usage of high-risk APIs commonly abused after sandbox escape or during unsafe sandbox implementations.

CodeQL – Dangerous JavaScript Execution Patterns

import javascript

from CallExpression call
where
  (
    call.getCallee().toString() = "eval" or
    call.getCallee().toString() = "Function"
  )
  or
  (
    call.getCallee() instanceof MemberAccess and
    call.getCallee().(MemberAccess).getQualifier().toString() = "child_process"
  )
select call,
  "Potentially dangerous dynamic code execution or process spawning detected."

This query highlights:

Dynamic code evaluation
Use of the Function constructor
Direct access to child_process APIs

These patterns are commonly leveraged once a sandbox boundary has been bypassed.

MITRE ATT&CK Mapping

TA0002 – Execution
TA0005 – Defense Evasion
T1059 – Command and Scripting Interpreter
T1497 – Virtualization / Sandbox Evasion

Mitigation and Remediation

Immediate upgrade to vm2 v3.10.2 or later
Avoid reliance on vm2 as a security boundary for high-risk workloads
Run Node.js services with minimal OS privileges
Isolate untrusted code execution into separate processes or containers
Enable strict logging and behavioral monitoring
Perform retrospective threat hunting on systems that previously ran vulnerable versions

Official Patch

Upgrade to the fixed release using the official project repository:

https://github.com/patriksimek/vm2/releases/tag/v3.10.2

Final Takeaway

CVE-2026-22709 is a critical sandbox escape vulnerability in vm2 that allows untrusted JavaScript to break out of isolation and execute arbitrary code on the host. Any application running vm2 ≤ 3.10.1 should be considered at high risk.

The issue stems from improper sanitization of async Promise callbacks, making the sandbox unreliable as a security boundary. Public proof-of-concepts exist, increasing the likelihood of exploitation.

Key points:

Treat this as full remote code execution, not a minor sandbox bug
Upgrade immediately to vm2 v3.10.2 or later
Monitor for Node.js spawning system shells or commands
Do not rely on vm2 alone for isolating hostile code

This vulnerability reinforces the need for defense-in-depth and strict isolation when executing untrusted JavaScript.