The vulnerability CVE-2026-22709 affects vm2, an open-source sandbox library for Node.js designed to safely execute untrusted code. The root cause is improper control over code generation, specifically a code injection flaw (CWE-94). In vm2 versions before 3.10.2, the sanitization mechanism intended to prevent malicious code execution in Promise callbacks is incomplete. The library sanitizes the callback function of localPromise.prototype.then but neglects to sanitize globalPromise.prototype.then. Since async functions return globalPromise objects, attackers can exploit this discrepancy to bypass the sandbox's security controls. This allows arbitrary code execution outside the sandbox environment, potentially compromising the host system. The vulnerability is exploitable remotely without authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact spans confidentiality, integrity, and availability, making it a critical security risk. The fix was introduced in vm2 version 3.10.2, which properly sanitizes all Promise callbacks to close this bypass. No known exploits have been reported yet, but the high severity and ease of exploitation make timely patching imperative.

For European organizations, this vulnerability poses a significant threat, especially those leveraging vm2 for sandboxing untrusted or third-party JavaScript code in Node.js applications. Successful exploitation can lead to full system compromise, data breaches, and disruption of critical services. Sectors such as finance, healthcare, telecommunications, and government agencies that rely on secure code execution environments are particularly vulnerable. The ability to execute arbitrary code without authentication or user interaction increases the risk of widespread exploitation, potentially affecting cloud services, internal applications, and developer tools. The breach of sandbox isolation can also facilitate lateral movement within networks, exacerbating the impact. Given the critical CVSS score and the nature of the vulnerability, organizations face risks to confidentiality, integrity, and availability of their systems and data.

Organizations should immediately upgrade vm2 to version 3.10.2 or later, where the vulnerability is patched. For environments where immediate upgrading is not feasible, consider disabling or restricting the use of vm2 sandboxes, especially in contexts processing untrusted code. Implement strict code review and validation processes for any code executed within vm2. Employ runtime monitoring and anomaly detection to identify suspicious behavior indicative of sandbox escape attempts. Additionally, isolate systems running vm2 sandboxes using network segmentation and least privilege principles to limit potential damage. Regularly audit dependencies and maintain an up-to-date inventory of Node.js packages to quickly identify vulnerable versions. Finally, educate developers and security teams about the risks associated with sandbox bypass vulnerabilities and the importance of timely patching.