CVE-2022-36067
published 2022-09-06CVE-2022-36067: vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the…
PriorityP181critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
47.87%
98.7th percentile
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| patriksimek | vm2 | < 3.9.11 | 3.9.11 |
| vm2_project | vm2 | < 3.9.11 | 3.9.11 |
| vm2_project | vm2 | >= 0 < 3.9.11 | 3.9.11 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2022-36067 exploits improper exception handling in vm2 sandbox; the sandbox setup does not manage proper exception handling, allowing sandbox escape and RCE on the host ↗
- →CVE-2022-36067 affects vm2 versions prior to 3.9.11; detection should flag use of vm2 < 3.9.11 in Node.js environments ↗
- →CVE-2022-36067 allows escaping the vm2 isolated environment and running shell commands on the machine hosting the sandbox ↗
- ·The affected package in Red Hat's ecosystem is rhacm2/console-rhel8 (Red Hat Advanced Cluster Management for Kubernetes 2), which bundles the vulnerable vm2 library ↗
- ·No workarounds are available for CVE-2022-36067; the only remediation is upgrading to vm2 version 3.9.11 or later ↗
- ·Red Hat notes that mitigation is either not available or does not meet their criteria for ease of use, deployment, applicability, or stability ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host
osv·2022-09-28
CVE-2022-36067 [CRITICAL] vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host
vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host
### Impact
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
### Patches
This vulnerability was patched in the release of version `3.9.11` of `vm2`
### Workarounds
None.
### References
Github Issue - https://github.com/patriksimek/vm2/issues/467
The file that was patched - https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71
The commit with the patch - https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [VM2](https://githu
GHSA
vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host
ghsa·2022-09-28
CVE-2022-36067 [CRITICAL] CWE-913 vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host
vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host
### Impact
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
### Patches
This vulnerability was patched in the release of version `3.9.11` of `vm2`
### Workarounds
None.
### References
Github Issue - https://github.com/patriksimek/vm2/issues/467
The file that was patched - https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71
The commit with the patch - https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [VM2](https://githu
Red Hat
vm2: Sandbox Escape in vm2
vendor_redhat·2022-09-07·CVSS 10.0
CVE-2022-36067 [CRITICAL] CWE-913 vm2: Sandbox Escape in vm2
vm2: Sandbox Escape in vm2
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.
A flaw was found in the vm2 sandbox when running untrusted code, as the sandbox setup does not manage proper exception handling. This flaw allows an attacker to bypass the sandbox protections and gain remote code execution on the hypervisor host or the host which is running the sandbox.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Secur
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Critical vm2 sandbox bug lets attackers execute code on hosts
blogs_bleepingcomputer·2026-05-06·CVSS 9.8
CVE-2026-26956 [CRITICAL] Critical vm2 sandbox bug lets attackers execute code on hosts
## Critical vm2 sandbox bug lets attackers execute code on hosts
## Bill Toulas
A critical vulnerability in the popular Node.js sandboxing library vm2 allows escaping the sandbox and executing arbitrary code on the host system.
The security issue is tracked as CVE-2026-26956 and has been confirmed to impact vm2 version 3.10.4, although earlier releases may also be vulnerable. Proof-of-concept (PoC) exploit code has been published.
In the security advisory, the maintainer says that the issue only impacts environments with Node.js 25 (confirmed on Node.js 25.6.1) that have enabled WebAssembly exception handling and JSTag support.
vm2 is an open-source Node.js library used to run untrusted JavaScript code inside a restricted sandbox environment. It is commonly employed by online coding p
Bleepingcomputer
Critical sandbox escape flaw found in popular vm2 NodeJS library
blogs_bleepingcomputer·2026-01-27·CVSS 9.8
CVE-2026-22709 [CRITICAL] Critical sandbox escape flaw found in popular vm2 NodeJS library
## Critical sandbox escape flaw found in popular vm2 NodeJS library
## Bill Toulas
A critical-severity vulnerability in the vm2 Node.js sandbox library, tracked as CVE-2026-22709, allows escaping the sandbox and executing arbitrary code on the underlying host system.
The open-source vm2 library creates a secure context to allow users to execute untrusted JavaScript code that does not have access to the filesystem.
vm2 has historically been seen in SaaS platforms that support user script execution, online code runners, chatbots, and open-source projects, being used in more than 200,000 projects on GitHub. The project was discontinued in 2023, though, due to repeated sandbox-escape vulnerabilities, and considered unsafe for running untrusted code.
Last October, maintainer Patrik Šimek d
Checkpoint
17th October – Threat Intelligence Report
blogs_checkpoint·2022-10-17
CVE-2022-41352 17th October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 17th October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 17th October, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Guacamaya hacking group claim to have breached the Attorney General of Colombia, and leaked massive amount of data that revealed identities and methods of Australian Federal Police secret agents working to stop major drug importations to Australia. The breached data includes five million emails and tens of thousands of do
https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164https://github.com/patriksimek/vm2/issues/467https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrqhttps://security.netapp.com/advisory/ntap-20221017-0002/https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164https://github.com/patriksimek/vm2/issues/467https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrqhttps://security.netapp.com/advisory/ntap-20221017-0002/https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067
2022-09-06
Published