Skip to content

Update vm2 to 3.10.4 to fix CVE-2026-22709 #566

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Update vm2 to 3.10.4 to fix CVE-2026-22709 #566

Copilot wants to merge 2 commits into from
+64 −167

Conversation

Copy link

Copilot AI commented Feb 10, 2026
edited
Loading

vm2 3.10.0 has a critical sandbox escape via unsanitized Promise callbacks (CVE-2026-22709, CVSS 9.8).

  • Bumped vm2 devDependency from ^3.9.18^3.10.4 (lockfile was pinned to vulnerable 3.10.0)
Original prompt

This section details on the original issue you should resolve

<issue_title>Security Vulnerability in your devDependencies (vm2)</issue_title>
<issue_description>Security Vulnerability Alert for the verson of vm2 found in your devDependencies:

On 25 Jan 26, a GitHub project maintainer shared a critical flaw found in vm2, a popular NodeJS sandbox library.1 The vulnerability, tracked as CVE-2026-22709 (CVSS v3.1 score 9.8), arises from vm2’s failure to properly sandbox ‘Promises,’ the callback sanitization component that handles asynchronous operations, and could allow an attacker to escape the sandbox and run untrusted JavaScript code.2
(U) CVE-2026-22709 affects vm2 version 3.10.0, and has been fixed in versions 3.10.1, 3.10.2, and 3.10.3. Users are recommended to update to version 3.10.3, as it contains a more secure patch to avoid a potential bypass. As of 30 Jan 26, there is no evidence of active exploitation.

Please fix this.</issue_description>

<agent_instructions>Update vm2 dependency to the latest version and make sure tests are passing.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@styfle
fix: update vm2 devDependency from ^3.9.18 to ^3.10.4 to address CVE-…
d060c31 
…2026-22709

Co-authored-by: styfle <229881+styfle@users.noreply.github.com>
@socket-security
Copy link

socket-security bot commented Feb 10, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedvm2@​3.10.0 ⏵ 3.10.498 -1100 +75100 +191 +5100

View full report

Copilot AI changed the title [WIP] Update vm2 to version 3.10.3 to fix security vulnerability Update vm2 to 3.10.4 to fix CVE-2026-22709 Feb 10, 2026
Copilot AI requested a review from styfle February 10, 2026 19:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@styfle styfle Awaiting requested review from styfle styfle is a code owner

@ijjk ijjk Awaiting requested review from ijjk ijjk will be requested when the pull request is marked ready for review ijjk is a code owner

@icyJoseph icyJoseph Awaiting requested review from icyJoseph icyJoseph will be requested when the pull request is marked ready for review icyJoseph is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@styfle styfle

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security Vulnerability in your devDependencies (vm2)

2 participants

@styfle