CVE-2026-22709
CRITICAL WAF: Medium
CVSS 10.0
Published: 2026-01-26
CWE-94
vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.prototype.then` is not sanitized. The return value of async functions is `globalPromise` object. Version 3.10.2 fixes the issue.
WAF Coverage Analysis
Code Injection
Medium WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution 933xxx - PHP Injection 934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| vm2_project | vm2 | up to 3.10.2 |
References
- github.com (Patch)
- github.com (Product, Release Notes)
- github.com (Exploit, Vendor Advisory)