Critical vm2 Node.js sandbox escape vulnerabilities
⚠️ Multiple critical vulnerabilities have been disclosed in the vm2 Node.js library that allow untrusted code to break out of sandboxes and execute arbitrary host commands. The defects include numerous sandbox escapes, code injection vectors, and an allowlist bypass, with several issues rated CVSS 9.8–10.0. Affected releases span multiple 3.9.x–3.11.x builds; maintainers recommend upgrading to v3.11.2 and auditing any vm2-based sandbox deployments. The project lead has acknowledged that further bypasses are likely as research continues.
