—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Remote Code Execution Vulnerability in VM2 Sandbox Library for Node.js 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

VM2 Sandbox Library for Node.js versions prior to 3.10.2

Overview

A vulnerability has been reported in VM2 Sandbox Library for Node.js, which could be exploited by a remote attacker to execute arbitrary code on the targeted system.

Target Audience:

All end-user organizations and individuals using affected VM2 Sandbox Library for Node.js.

Risk Assessment:

Very High risk of unauthorized access to sensitive data or arbitrary code execution

Impact Assessment:

Potential for system compromise.

Description

VM2 is a sandbox that can run untrusted code with whitelisted Nodes built-in modules.

This vulnerability exists in VM2 Node.js library due to improper callback sanitization of ¿Promises¿ component that handles asynchronous operations to make sure code execution is restricted to the context of the isolated environment.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the targeted system.

Solution

Apply the security updates released by the vendor and upgrade VM2 Sandbox Library for Node.js to version 3.10.2 or later

Vendor Information

Github

https://github.com/patriksimek/vm2

References

BleepingComputer

https://www.bleepingcomputer.com/news/security/critical-sandbox-escape-flaw-discovered-in-popular-vm2-nodejs-library/

CyberSecurityNews

https://cybersecuritynews.com/vm2-sandbox-vulnerability/

CVE Name

CVE-2026-22709

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAml8zSoACgkQ3jCgcSdc

ys91RxAApgY22rxWBrdHLHFpWqMHvbrorKFpx8JItIHO3MZHtqm3pJavT0q0R9nX

UfAuRSjkwAvQFrC97FezaCekq4vmoG4EKYCS9HzU5ZErcUH5iuvn3YTao5ioEQt+

8ZyPgTkNr6pO77aNoB7/HLaT4Ii2MIuH5JEqA5wb/OU/LXPocSJonh1z4hD+VGJJ

nkm/N9ZyVigCWGnlD6SX7z9sieVzAKOikxzJlephKxl4Elx9TtC/aZD1QzxBssiD

4eU0vB6Qq8eOxN93a4xCVcjbR6TQMQvuQMmhNpjEe7eRopL6QJiNaCQosXDXJcHF

yakjsu4AeLzoTxtlIS5dGZCGoGCcu1Qvi4inZSr+A325Rw/NRMb2YE3Rld6t9EKg

OtYZD/pG217GelCg1XSMMiyQ+KvC8FHKbGHx2rUIHHJyt1H8BheWjfpT7xCb5wvw

6oHWtWEkgbILhmpAoLpCVN5w0wLso9aj4jmWuAGlqFFLAFYi8+Hnxco5JMpWJhUA

cm/DlOALjCqkL4e7lVI3qtpT805mMvr8ZSitb6AwwfIJ9ZZtUB7voaqzcDRFICNZ

O8XJr9LGW65FbDg8/8RgokvqbdtbUla1DiCjFHb66r8I+493rvLD2EjAOfyu3h+u

0SgAU08C3AvLuoHAYjYUw7aJJGwJHXG0NlYZZekO3DaDvUpEy9E=

=2/FH

—–END PGP SIGNATURE—–