A critical sandbox escape vulnerability has been discovered in vm2, one of the most widely-used Node.js sandboxing libraries. The flaw allows an attacker who can execute code inside a vm2 sandbox to break out of the sandbox and execute arbitrary code on the host system. Any application that uses vm2 to isolate untrusted JavaScript — such as plugin systems, online coding platforms, workflow automation tools, and serverless function runtimes — is potentially affected.
The vulnerability was reported by BleepingComputer, which has tracked multiple critical sandbox escape bugs in vm2 in recent years.
What Is vm2?
vm2 is a Node.js library that provides a sandboxed environment for executing untrusted JavaScript code. It is intended to prevent malicious code from accessing the host system's resources, file system, network, or process environment. The library achieves this by running code in a restricted JavaScript context that intercepts dangerous APIs.
vm2 is downloaded millions of times per month from npm and is a dependency in numerous production applications including:
- Online coding and IDE platforms (run untrusted user code in isolation)
- Workflow automation tools (execute user-defined JavaScript actions)
- Plugin and extension systems (sandbox third-party plugins)
- Content management systems (execute template scripts safely)
- Serverless function runtimes (isolate tenant code in multi-tenant environments)
- Security testing tools (analyze potentially malicious scripts)
The premise of vm2 is that code running inside the sandbox cannot affect the host. This vulnerability directly undermines that premise.
The Vulnerability
The critical flaw allows an attacker to craft a JavaScript payload that, when executed inside the vm2 sandbox, escapes the sandboxed context and gains the ability to execute arbitrary code in the host Node.js process. Once outside the sandbox, the attacker code runs with the same privileges as the host process — which in many production deployments is a server process with access to the filesystem, network, database credentials, and environment variables.
Sandbox escape vulnerabilities in vm2 are not new — the library has a history of such findings — but each new escape technique requires a new patch. The current vulnerability represents another instance of this recurring pattern.
Why Sandbox Escapes Are Difficult to Prevent
JavaScript sandboxing at the language level is inherently challenging because:
- JavaScript is highly dynamic — Features like
Proxy,Reflect,Symbol, and prototype manipulation offer many attack surfaces - Node.js built-ins expose powerful APIs — References to built-in constructors (e.g.,
Function,eval, native module internals) can be used to escape restricted contexts - V8 engine complexity — The V8 JavaScript engine itself may expose internal mechanisms that a sufficiently crafted payload can abuse
- vm module limitations — Node.js's built-in
vmmodule, on which vm2 builds, explicitly states that it is not a security boundary
Attack Scenario
1. Application accepts user-supplied JavaScript and executes it
inside a vm2 sandbox (e.g., a workflow automation "Run Script"
node, an online coding platform, a plugin system)
2. Attacker crafts a payload that exploits the sandbox escape
vulnerability
3. The payload breaks out of the vm2 restricted context and
gains execution in the host Node.js process
4. Attacker reads environment variables (database passwords,
API keys, cloud credentials), reads/writes the filesystem,
makes network requests, or spawns child processes
5. In multi-tenant environments, attacker may access data
belonging to other users of the same applicationAffected Applications
Any application that:
- Accepts user-supplied JavaScript input
- Executes that input inside a vm2 sandbox
- Assumes the sandbox prevents host-level access
...is potentially vulnerable.
High-Risk Application Types
| Application Type | Risk |
|---|---|
| Online coding platforms | Users can submit exploit payloads directly |
| Workflow automation (n8n, Node-RED, etc.) | User-defined scripts run in sandboxes |
| CMS with script execution | Theme/plugin scripts may be user-editable |
| Multi-tenant SaaS with JS scripting | Tenant code isolation relies on the sandbox |
| Security analysis tools | Analyzing malicious JS may trigger the escape |
Recommendations
For Application Developers
-
Update vm2 immediately to the latest patched version:
npm update vm2 # or npm install vm2@latest -
Audit all vm2 usage — identify every location in your codebase where vm2 executes user-supplied or attacker-reachable input
-
Consider migrating away from vm2 — The library's history of critical sandbox escapes suggests that language-level JavaScript sandboxing is fundamentally difficult to secure. Consider alternatives:
- Isolated process execution — Run untrusted code in a separate child process with restricted OS-level permissions
- Container-based isolation — Use Docker or similar to sandbox untrusted code at the OS level
- WebAssembly sandboxes — Platforms like Wasmer or WASM-based runtimes provide stronger isolation guarantees
- Vercel Sandbox — For cloud-deployed applications, purpose-built sandboxed execution environments with hardware-level isolation
-
Apply defense-in-depth — Even with vm2 updated, do not rely on vm2 as your only defense. Combine it with:
- Running the Node.js process with minimal OS privileges (non-root, restricted filesystem access)
- Network egress controls to limit outbound connections from sandboxed processes
- Rate limiting and input validation before code reaches the sandbox
For Security Teams
- Scan your npm dependency tree for vm2:
npm ls vm2
# or
grep -r '"vm2"' node_modules/.package-lock.json
- Check for indirect (transitive) dependencies on vm2:
npm audit
- Review application logs for anomalous subprocess spawning,
unexpected file access patterns, or outbound connections that
may indicate active exploitation
- If exploitation is suspected, treat the host process as
fully compromised and rotate all credentials accessible
to that processvm2 Sandbox Escape History
This is not the first critical sandbox escape in vm2. The library has a documented history of such vulnerabilities:
| CVE | Severity | Year | Description |
|---|---|---|---|
| CVE-2023-29199 | Critical | 2023 | Sandbox escape via improper source code transformation |
| CVE-2023-32314 | Critical | 2023 | Sandbox escape via Proxy handler bypass |
| CVE-2022-36067 | Critical | 2022 | Sandbox bypass via RegExp handler |
| CVE-2021-23440 | High | 2021 | Prototype pollution leading to sandbox escape |
This pattern has led many security researchers to recommend against using vm2 for security-critical sandboxing entirely, in favor of OS-level isolation mechanisms.
Broader Implications
The recurring nature of vm2 sandbox escapes highlights a fundamental limitation: JavaScript sandboxing at the language level cannot be considered a security boundary. The Node.js documentation for the built-in vm module explicitly warns:
"The vm module is not a security mechanism. Do not use it to run untrusted code."
vm2 attempts to harden this further, but the attack surface of a full JavaScript runtime — with its dynamic features, prototype chain, and built-in constructors — is too large to fully lock down.
Organizations that need strong isolation for untrusted code execution should evaluate hardware-enforced isolation (containers, VMs, Firecracker microVMs) rather than relying on language-level sandboxing.