A critical vulnerability has been patched in vm2, a widely used library for the Node.js JavaScript runtime that allows untrusted code to be executed inside a sandbox within the same process as trusted application code. The flaw allows for a sandbox escape, which is as serious as it gets for a software component whose primary goal is enforcing a security boundary between trusted and untrusted code.
The vm2 library, which is listed as a dependency by almost 900 other packages on NPM and many projects on GitHub, is not a stranger to sandbox escape vulnerabilities. In fact, in July 2023, its creator decided to stop maintaining the project and deprecate it after one such vulnerability.
Despite the project being unmaintained, in the absence of good alternatives, people have kept using it, leading to millions of downloads every month. In October 2025, the original maintainer decided to resurrect the project after patching all past vulnerabilities and announcing plans to rewrite it in TypeScript.
