A critical sandbox escape vulnerability (CVE-2026-22709, CVSS 9.8) has been discovered in vm2 versions 3.10.1 and earlier. The flaw stems from incomplete sanitization of Promise callbacks — specifically, `globalPromise.prototype.then` is not sanitized while `localPromise.prototype.then` is, allowing attackers to escape the sandbox and execute arbitrary code on the host. The patched version is 3.10.2. Remediation steps include upgrading immediately, verifying with `npm list vm2`, and auditing transitive dependencies.
Table of contents
Understanding the VulnerabilityAffected VersionsIdentifying Your ExposureImmediate Remediation StepsReferencesSort: