Researchers at JFrog have discovered a high-severity security vulnerability in the vm2 Node.js library. This library is heavily leveraged to run untrusted code in a safe sandboxed environment. Tracked as CVE-2026-22709, this critical flaw is considered a high risk vulnerability. That’s because it lets for arbitrary code execution outside of the sandbox, as it was designed to do. The CVSS score of the vulnerability is 9.8 out of 10.0. This triple whammy underscores the extremely low bar to require users to immediately patch their systems.
The vm2 library improves security by intercepting and proxying certain JavaScript objects. This is to keep the sandboxed code from reaching outside of the sandbox, into the host environment. The as-yet undisclosed vulnerability is due to a lack of sanitization of the handlers of Promises within the library. This critical omission introduces an escape vector, allowing adversarial actors to run code outside the security sandbox.
Details of the Vulnerability
CVE-2026-22709 is another in a long line of vulnerabilities plaguing vm2 since last December, underscoring the grave security risks around the library that are still at play. The vulnerability provides access to the host environment, opening the door to potential dire consequences, if abused. As vm2 maintainer, Patrik Simek, put it, we need to fix this mistake, and we need to do it quickly. Users are encouraged to update to vm2 version 3.10.2, in which this high-severity vulnerability is fixed.
Besides patching for CVE-2026-22709, vm2 version 3.10.3 has other bug fixes. As part of that update, we patched 3 different potential sandbox escape vulnerabilities. This commitment is a reflection of the maintainers’ dedication to giving users the best and safest environment possible for running untrusted code.
Ongoing Maintenance and Security Updates
In October 2025, Patrik Simek responded that the vm2 3.x versions are still maintained. The missed opportunity This commitment demonstrates a laudable and heartfelt commitment to security and user safety. vm2 Security page has been freshly updated! It recently added a warning to users letting them know that these versions are no longer actively maintained and encourages users to keep their installations up to date.
Here’s a quick look at other vulnerabilities the recent updates have covered. These are CVE-2022-36067, CVE-2023-29017, CVE-2023-29199, CVE-2023-30547, CVE-2023-32314, CVE-2023-37466, and CVE-2023-37903. These further fixes greatly increase the security of vm2. Therefore, users need to be extra cautious and make sure they are on the most up-to-date version.
User Recommendations
We want to be clear that CVE-2026-22709 is a critical security vulnerability. Users are strongly encouraged to upgrade to the latest version of vm2 without delay to safeguard themselves. Creating a secure development environment Regularly updating software – including libraries, frameworks, and binaries – is a key practice for maintaining a secure development environment. By ensuring that they have implemented the latest security patches, users can mitigate potential risks associated with executing untrusted code.