JavaScript Sandbox vm2: Critical Vulnerability Allows Escape
The JavaScript sandbox vm2 for Node.js was actually discontinued. Now an update closes a critical security vulnerability.
(Image: Shutterstock / Skorzewiak)
vm2 is a JavaScript sandbox for Node.js. Its development was actually discontinued in 2023. Another security vulnerability has been discovered in the software, allowing an escape from the secured environment and the execution of arbitrary code. An update is available.
In the vulnerability report, the authors explain that input filtering for the callback functions of Promise.prototype.then and Promise.prototype.catch can be bypassed. This allows attackers to break out of the sandbox and execute their code (CVE-2026-22709, CVSS 9.8, risk “critical”). While the callback function of localPromise.prototype.then in “lib/setup-sandbox.js” performs filtering, this is missing in globalPromise.prototype.then, the authors further explain. The patch for the file is quite concise and adds the filtering.
The version 3.10.2 of vm2 fixes the bug. A proof-of-concept exploit is already available. Malicious actors can therefore quickly add the vulnerability to their standard repertoire. Furthermore, the even more current version 3.10.3 has been available for a few days. The fixes in it are also intended to prevent escapes from the sandbox. Developers should therefore update to this version if they are still using vm2.
Ended Project Revived
The initiator of the vm2 project, Patrik Simek, had actually announced the end of the project in mid-2023. Shortly before, a critical security vulnerability was found for which no bug fix was programmed. Simek had therefore recommended developers to switch to the also open-source isolated-vm instead.
So far, new commits in the project from late October 2025 have gone rather unnoticed. Under the title “Resurrection,” Simek has thus initiated the further development of vm2 with a version jump to 3.10. While Simek had previously clearly stated the reasons for the discontinuation -- the growing complexity of Node.js was no longer manageable -- there are no indications for the motivation to continue after more than two years.
Videos by heise
Anyone who has not yet noticed the end of the project and therefore has an outdated version of vm2 in use, riddled with security vulnerabilities, should quickly switch to the bug-fixed version.
(dmk)
