Security experts have sounded the alarm over a massive security hole found in the widely used vm2 library for Node.js. This specific bug, labeled CVE-2026-22709, has earned a near-perfect severity rating of 9.8 out of 10. The high score reflects just how dangerous the flaw is: it allows a hacker to break out of a restricted “sandbox” and seize control of the entire computer system. For a tool built specifically to keep untrusted code locked away, this kind of failure is a worst-case scenario.

How a Simple Promise Broke the Walls

The core of the problem lies in how vm2 handles a common JavaScript feature called Promises. Normally, when you run code inside a sandbox, the library is supposed to act like a high-tech filter. It checks every object and function to make sure it doesn’t have “keys” to the outside world. However, researchers discovered a blind spot in how the library cleans up the handlers used for asynchronous tasks.

The technical breakdown is a classic case of mistaken identity between two types of objects. In JavaScript, async functions don’t return the local version of a Promise that the sandbox has under control. Instead, they return a global version. Because the library’s security checks were looking at the local versions but ignoring the global ones, attackers found a wide-open back door. By using specific “then” and “catch” commands on these unsanitized global objects, a malicious actor can jump over the sandbox walls and run any command they want on the underlying operating system.

A Long History of Security Failures

This isn’t the first time vm2 has let its guard down. In fact, this latest incident is just the newest chapter in a long saga of security disasters. Over the last few years, a constant stream of “sandbox escapes” has hit the library, forcing developers to scramble for patches over and over again. Names like CVE-2023-30547 and CVE-2023-37903 are well-known to security pros who have been tracking this library’s shaky record.

At one point in 2023, the constant pressure of finding and fixing these holes became so much that the project’s creator, Patrik Simek, actually announced he was shutting the project down. He warned that the way the library was built made it almost impossible to keep it 100% secure. Curiously, while that “discontinued” notice has vanished from the main project page, and the library appears to be getting updates again as of late 2025, the underlying risks remain exactly the same. The maintainers themselves admit that more bugs are probably hiding in the shadows, waiting for hackers to find them.

Why You Should Probably Switch Tools

If you are currently using vm2 to keep your applications safe, the advice from the experts is clear: update to version 3.10.3 immediately to stop the current bleeding. But even with the patch, many in the cybersecurity community are saying it’s time to move on. Using this library is starting to feel like plugging leaks in a dam that was never built to hold this much water.

Instead of relying on a library that tries to “fake” security by proxying objects, experts suggest moving to more modern alternatives like isolated-vm. This tool is built on a much tougher foundation called V8 Isolates, which provides a physical wall between code segments rather than just a digital filter. For those who need the highest level of safety, the gold standard is still using something like Docker. By putting untrusted code in its own separate container, you ensure that even if a hacker breaks out of the app, they are still trapped inside a virtual box with nowhere to go.