The vm2 Node.js library provides a sandbox environment to safely execute untrusted JavaScript code by intercepting and proxying objects to prevent access to the host environment. However, a critical vulnerability identified as CVE-2026-22709 arises from improper sanitization of Promise.prototype.then and Promise.prototype.catch handlers in vm2 version 3.10.0. Specifically, asynchronous JavaScript functions return global Promise objects rather than local Promise objects, and vm2 fails to sanitize these global Promise handlers properly. This oversight allows attackers to bypass the sandbox restrictions and execute arbitrary code on the underlying operating system, effectively escaping the sandbox. The vulnerability carries a CVSS score of 9.8, reflecting its critical nature. The flaw was discovered by Endor Labs researchers and promptly patched in vm2 versions 3.10.2 and 3.10.3. This vulnerability is part of a series of sandbox escapes that have affected vm2 over recent years, leading to concerns about the library's security model. The vm2 maintainer recommends keeping the library updated and considering alternatives like isolated-vm, which leverages V8's native Isolate interface for stronger isolation. Additionally, deploying sandboxed code within containerized environments such as Docker is advised to provide logical separation and mitigate risks. The vulnerability does not require user interaction and can be exploited remotely if untrusted code execution is possible, making it highly dangerous for applications relying on vm2 for sandboxing untrusted JavaScript code.

For European organizations, the impact of this vulnerability is significant. Many enterprises and cloud service providers use Node.js and vm2 to safely execute third-party or user-generated JavaScript code in web applications, microservices, and serverless functions. Successful exploitation can lead to full system compromise, allowing attackers to execute arbitrary commands, access sensitive data, disrupt services, or pivot within networks. This threatens confidentiality, integrity, and availability of critical systems. Organizations in sectors such as finance, healthcare, telecommunications, and government, which often rely on Node.js-based platforms, face heightened risks. The vulnerability also undermines trust in sandboxing mechanisms, potentially exposing supply chains and software ecosystems that depend on vm2. Given the ease of exploitation without user interaction and the critical severity, the threat could facilitate ransomware deployment, data breaches, or espionage campaigns targeting European infrastructure and enterprises.

1. Immediately update all vm2 library instances to version 3.10.3 or later, which includes patches for this and other sandbox escape vulnerabilities. 2. Audit all applications and services that use vm2 to identify untrusted code execution points and assess exposure. 3. Consider migrating to more secure sandboxing alternatives such as isolated-vm, which uses V8's native Isolate interface for stronger isolation guarantees. 4. Implement containerization (e.g., Docker) to provide an additional layer of logical separation between sandboxed code and host systems, limiting potential damage from escapes. 5. Enforce strict code review and validation for any third-party or user-generated JavaScript executed within sandboxes. 6. Monitor runtime environments for anomalous behavior indicative of sandbox escape attempts or arbitrary code execution. 7. Stay informed on vm2 security advisories and emerging sandbox escape vulnerabilities to apply timely updates. 8. Where feasible, restrict network and filesystem access for sandboxed environments to minimize attack surface. 9. Employ defense-in-depth strategies combining sandboxing, containerization, and host-based security controls to mitigate risks. 10. Educate development and DevOps teams about the limitations of vm2 sandboxing and the importance of layered security.