CVE-2026-22709

Medienbericht

Exploit

EPSS 1.22%
Veröffentlicht 26.01.2026 21:32:00
Zuletzt bearbeitet 17.02.2026 20:59:29
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

vm2 has a Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.prototype.then` is not sanitized. The return value of async functions is `globalPromise` object. Version 3.10.2 fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 9

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vm2 Project ≫ Vm2 SwPlatformnode.js Version < 3.10.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.22%	0.648

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
security-advisories@github.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-693 Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

CWE-913 Improper Control of Dynamically-Managed Code Resources

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

07.05.2026 07:10

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

06.05.2026 20:55

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

29.01.2026 09:51

https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8

Vendor Advisory

Exploit

https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29

Patch

https://github.com/patriksimek/vm2/releases/tag/v3.10.2

Product

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-22709

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-22709

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-22709

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-22709