GitHub/NVD: vm2 sandbox escape (CVE-2026-22709) enables host code execution

2026-01-30 • Category: AI CVEs

vm2 (a popular Node.js “sandbox” library) has another sandbox escape: CVE-2026-22709. The issue lets attacker-controlled code break out of the vm2 context and run arbitrary code on the host, by bypassing callback sanitization for Promise.prototype.then/catch in certain async paths.

What happened (high signal)

• Impact: sandbox escape → arbitrary code execution on the underlying host process.
• Root cause (as described in the advisory/NVD): vm2 sanitizes callbacks for a “local” Promise, but async functions return a global Promise whose callbacks were not properly sanitized.
• Exploit shape: attacker reaches a constructor chain via the caught error, then uses Function to execute host-side JS (and from there spawn commands).
• Affected versions: NVD states vm2 < 3.10.2 are affected (check your exact dependency graph).
• Fix: upgrade to vm2 3.10.2+ (BleepingComputer reports further tightening in later releases; upgrade to the latest available).
• Why this keeps happening: vm2’s security model is extremely hard to get right long-term; it has a history of sandbox escapes, and it was even discontinued for a period due to repeated escapes.

Why it matters

• If you run user-provided scripts (plugins, “custom code” steps, “JS blocks”, workflow automation), a vm2 escape can convert a minor feature into a full platform compromise.
• Even “internal-only” scripting can be reached via SSRF, supply-chain, or low-privilege account takeover — so treat this as a serious boundary break.
• Agent/automation products often execute untrusted code as part of “connectors” or “transformations”; vm2 can show up indirectly via dependencies.

What to do (practical)

1. Find vm2 usage: search your repos and lockfiles for vm2 (direct and transitive).
2. Patch fast: upgrade to 3.10.2+ (prefer latest). Redeploy any services that bundle Node dependencies into images.
3. Assume bypass risk: if you truly need “untrusted JS execution,” treat vm2 as a stopgap and plan a move to process isolation (microVM/VM) + syscall/file/network sandboxing, not just in-process JavaScript tricks.
4. Add compensating controls: run the execution environment with least privilege, no host filesystem secrets, tight egress allowlists, and strong per-tenant separation.
5. Track AI-adjacent CVEs: add this to your tracker and triage workflow: AI-related CVEs: a practical tracker and triage workflow.

Sources

• GitHub Security Advisory (vm2): GHSA-99p7-6v5w-7xg8
• NVD entry: CVE-2026-22709
• Coverage (secondary): BleepingComputer

See also: AI CVEs