CVE- 2026-22709 is described as a critical sandbox escape vulnerability in vm2, a JavaScript sandbox library used to run untrusted code. According to StepSecurity, the flaw allows attackers to bypass sandbox protections and execute arbitrary code on the host system, with vm2 version 3.10.0 and earlier being affected.
The root cause involves the sanitisation of Promise.prototype[.]then in localPromise but not globalPromise, enabling attackers to break out of the sandbox; the advisory notes the issue exists in vm2 up to and including version 3.10.0, with 3.10.2 as the patched release. The vulnerability carries a severity of Critical (CVSS 9.8).
StepSecurity suggests immediate remediation steps: upgrade to vm2 version 3.10.2 or later, verify the upgrade with npm list vm2, review indirect dependencies, and audit usage patterns to ensure vm2 is only used where necessary. References include the GitHub Security Advisory GHSA-99p7-6v5w-7xg8 and the vm2 v3.10.2 release. 27 January 2026.