Twelve critical vulnerabilities have been disclosed in the vm2 Node.js library — a tool trusted by thousands of applications to safely execute untrusted JavaScript code. The flaws, some rated 9.8 on the CVSS scale, let attackers break out of the sandbox and run arbitrary code on the host system. That’s not a hypothetical risk. It’s a direct exploit path, and it’s been live in production environments for months.
Key Takeaways
- 12 critical vulnerabilities were found in vm2, including sandbox escape and arbitrary code execution.
- One flaw, CVE-2026-2865, scored 9.8/10 on the CVSS scale due to its high impact and low attack complexity.
- vm2 is used in production by companies running user-submitted JavaScript, from code playgrounds to plugin systems.
- The maintainers released patches in version 3.9.14, urging all users to update immediately.
- At least two proof-of-concept exploits are now public, lowering the barrier for widespread abuse.
Historical Context
The concept of sandboxing JavaScript dates back to the early 2000s, when web developers began running user-submitted code in isolated environments to mitigate security risks. This approach evolved over time, with various tools and libraries emerging to handle the task. The vm2 library itself was first released in 2010, initially as a lightweight alternative to more comprehensive sandboxing solutions like V8’s built-in sandbox. Since then, vm2 has gained popularity, especially in the Node.js ecosystem, where thousands of projects rely on it to execute untrusted code.
While vm2 has undergone numerous updates and improvements, its core design has remained relatively unchanged. The library’s maintainers have consistently emphasized its limitations and encouraged users to employ it with caution. However, as applications grew more complex and user-submitted code became increasingly prevalent, the need for more strong security solutions became apparent.
How a Sandbox Became a Backdoor
vm2 was built to do one thing: run untrusted JavaScript in isolation. It’s used wherever code from users, third parties, or plugins must execute without endangering the host. Think code editors that evaluate snippets, automation tools running custom scripts, or low-code platforms letting users write logic in JS. The library works by intercepting and proxying core JavaScript objects — things like Object, Function, and process — to prevent access to system resources.
But the sandbox only works if every escape route is sealed. These vulnerabilities show how fragile that illusion can be.
Researchers found that flaws in how vm2 handles object prototypes, constructor chains, and error propagation let attackers bypass restrictions. In one case, a malformed Proxy object could be used to leak references to the host environment. In another, a recursive call stack manipulation exposed internal vm2 binding objects — effectively handing attackers a master key.
That’s not just theory. A proof-of-concept exploit for CVE-2026-2865 — one of the most severe flaws — demonstrates how an attacker can spawn a reverse shell from within the sandbox. Once that shell lands, it’s game over. The attacker owns the process. They can read environment variables, access local files, or pivot to internal networks.
Why Developers Trusted vm2 — And Why That Backfired
For years, vm2 was treated as the go-to solution for JavaScript sandboxing. It had over 2.3 million weekly downloads on npm, and its GitHub repository had more than 7,800 stars. It was featured in documentation for platforms like Deno and referenced in security guides as a “safe” way to run user code.
That trust was never fully earned. Unlike formal isolation mechanisms — containers, WebAssembly, or VMs — vm2 operates entirely in userspace, relying on JavaScript’s own runtime to enforce boundaries. That’s like locking a door with a piece of tape and hoping no one tugs hard.
And yet, companies kept building on it. CodeSandbox, a popular online IDE, used vm2 in its backend evaluation engine until 2024. Some CI/CD platforms still use it to run user-defined pipeline scripts. Plugin ecosystems for tools like Ghost and Strapi have recommended vm2 for executing extensions in restricted mode.
The irony is stark: a library designed to reduce risk ended up becoming a single point of failure for entire applications.
The Cost of “Good Enough” Security
Open-source maintainers often work for free. vm2’s primary maintainer, Suhail Alkowaileet, has long acknowledged the project’s limitations. In a 2023 GitHub discussion, he warned users that “vm2 is not a complete sandbox and should not be used in highly secure environments.” But that warning was buried in a GitHub thread — not in the README, not in the npm description.
And developers, under pressure to ship, treated it like a plug-and-play solution. “We needed to run user scripts,” a backend engineer at a fintech startup told The Hacker News. “vm2 was the first thing that worked. We didn’t have time to build something safer.”
That’s the trap: when a tool solves an urgent problem, its flaws get rationalized. “It’s open source.” “It’s widely used.” “No one’s reported a breach.” Until someone does.
The Patch Isn’t a Fix
The vm2 team released version 3.9.14 on May 05, 2026, addressing all 12 vulnerabilities. The changelog lists fixes for prototype pollution, constructor bypass, and improper proxy handling. Maintainers are urging all users to update immediately.
But patching isn’t the same as resolving risk.
Many applications using vm2 are internal tools, legacy systems, or embedded dependencies. Some are downstream in larger packages, making detection harder. A search on GitHub shows over 15,000 public repos importing vm2 — and that’s just the visible surface.
And public exploit code has already landed. Within 24 hours of disclosure, two separate PoCs were posted to GitHub Gists. One, shared by security researcher Nikita Voloboev, demonstrates full host escape using a chain of three vulnerabilities. The other, attributed to an anonymous contributor, targets cloud environments, extracting AWS credentials from environment variables.
That means attackers don’t need to reverse-engineer anything. They can copy, paste, and deploy.
Supply Chain Blind Spots Are Now Attack Vectors
This isn’t just a vm2 problem. It’s a symptom of how deeply nested and poorly monitored the JavaScript supply chain has become.
- vm2 depends on
acorn, a JavaScript parser used by Babel, Webpack, and ESLint. - It also pulls in
node-forge, which had its own critical crypto flaw in 2025. - Over 400 packages on npm list vm2 as a direct dependency.
- Many more include it indirectly via tools like
js-sandboxorsafe-eval.
The deeper you go, the harder it is to track what’s running, let alone secure it. A single flawed function in a low-level dependency can ripple upward, compromising systems that never even knew vm2 was in their stack.
Adoption Timeline: What’s Next for vm2 and Its Users
As the severity of the vm2 vulnerabilities becomes clearer, some developers are already rethinking their use of the library. But what does this mean for the future of vm2 and its users?
For starters, a thorough audit of all applications using vm2 is imperative. This will involve identifying and updating to the latest version, as well as implementing additional security measures to mitigate the risks associated with the library.
However, the longer-term implications are more far-reaching. As developers become increasingly aware of the limitations and risks associated with vm2, alternative solutions are likely to emerge. These might include more strong sandboxing libraries, or even a shift towards using formal isolation mechanisms like containers or WebAssembly.
In the meantime, developers and security professionals need to be vigilant in monitoring the JavaScript supply chain for potential vulnerabilities. By doing so, they can help prevent similar incidents in the future and ensure that the applications they build are secure and trustworthy.
What This Means For You
If you’re using vm2 in production, assume you’re exposed. Update to 3.9.14 immediately. But don’t stop there. Audit your logs for any unusual process spawns, outbound connections, or file reads from JavaScript contexts. If you’re running user-submitted code, assume some of it may have escaped.
Longer term, stop relying on userspace sandboxes for security-critical workloads. Use WebAssembly with WASI, containerized execution, or dedicated runtime isolates like Google’s isolated-vm. These aren’t perfect, but they’re orders of magnitude safer than trying to outsmart JavaScript’s own object model.
And if you’re maintaining a tool that executes untrusted code, ask yourself: is “fast and easy” worth the risk? Because the next exploit might not just read a file — it might wipe your database.
We’ve spent years building convenience on top of JavaScript’s flexibility. Now, we’re learning the cost.
Concrete Scenarios
Let’s consider three concrete scenarios to illustrate the implications of the vm2 vulnerabilities:
Scenario 1: A fintech startup uses vm2 to execute user-defined scripts in its backend evaluation engine. Despite the maintainer’s warning, the team was too busy to implement a more strong sandboxing solution. Now, with the release of the exploit code, the startup is faced with the daunting task of updating its entire backend to prevent potential breaches.
Scenario 2: A popular online IDE, CodeSandbox, uses vm2 to run user-submitted code in its backend evaluation engine. As the vulnerabilities become public, the team at CodeSandbox springs into action, updating to the latest version of vm2 and implementing additional security measures. However, the incident highlights the importance of maintaining a strong and secure development environment, even in the face of emerging risks.
Scenario 3: A company uses vm2 to execute plugins in its plugin ecosystem for a tool like Ghost. With the release of the exploit code, the team is faced with the task of identifying and removing all vulnerable plugins from its ecosystem. This requires a thorough audit of the plugins, as well as a detailed analysis of the potential risks associated with each one.
Key Questions Remaining
As the impact of the vm2 vulnerabilities becomes clearer, several key questions remain:
1. Will the vm2 library recover from this incident, or will it become a relic of the past?
2. How can developers and security professionals better monitor the JavaScript supply chain for potential vulnerabilities?
3. What are the implications for the use of userspace sandboxes in security-critical workloads?
4. How can we balance the need for convenience and flexibility in JavaScript development with the need for strong security measures?
5. What are the long-term consequences for the applications using vm2, and how can they be mitigated?
These questions will shape the future of vm2 and its users, as well as the broader JavaScript ecosystem. As we navigate this complex landscape, it’s essential to be vigilant, proactive, and responsive to emerging risks.
Sources: The Hacker News, original report
