Home > Vulnerability Database > CVE-2026-22709

Mend.io Vulnerability Database

CVE-2026-22709

Good to know:

Date: January 26, 2026

vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, "Promise.prototype.then" "Promise.prototype.catch" callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of "localPromise.prototype.then" is sanitized, but "globalPromise.prototype.then" is not sanitized. The return value of async functions is "globalPromise" object. Version 3.10.2 fixes the issue.

Severity Score

9.8

Related Resources (6)

Url: https://github.com/patriksimek/vm2/releases/tag/v3.10.2

Url: https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8

Url: https://github.com/patriksimek/vm2

Url: https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-22709

Url: https://www.mend.io/vulnerability-database/CVE-2026-22709

Severity Score

9.8

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

Improper Control of Dynamically-Managed Code Resources

CWE-913

Protection Mechanism Failure

CWE-693

Top Fix

Upgrade Version

Upgrade to version vm2 - 3.10.2;https://github.com/patriksimek/vm2.git - v3.10.2

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-22709

Good to know:

Date: January 26, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?