Sandbox escape vulnerability in vm2, used by nearly 900 NPM packages, allows attackers to bypass security protections and execute arbitrary code.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

A critical sandbox escape vulnerability (CVE-2026-22709) was discovered in vm2, a popular Node.js library used by nearly 900 NPM packages to execute untrusted code safely. The flaw allows attackers to bypass Promise callback sanitization and execute arbitrary code. Despite being deprecated in 2023 due to similar vulnerabilities, the project was resurrected in October 2025 after patching past issues. Users should upgrade to version 3.10.2 or later immediately. The maintainer acknowledges that JavaScript's complexity makes building airtight in-process sandboxes extremely difficult, and new bypasses will likely continue to emerge.

Critical bug in popular vm2 Node.js sandboxing library puts projects at risk