Critical Sandbox Escape Vulnerability Disclosed in Node.js *vm2* Library

A critical sandbox escape vulnerability has been disclosed in the Node.js vm2 library, identified as CVE-2026-22709 with a CVSS score of 9.8. This flaw affects version 3.10.0 of vm2 and allows an attacker to execute arbitrary code on the underlying operating system. The issue lies in the Promise.prototype.then and Promise.prototype.catch methods. No disclosure date or patch has been specified in the excerpt.