Thirteen critical vulnerabilities have been found in the vm2 JavaScript sandbox package that could allow an attacker’s code to escape the container and do nasty things to IT environments. As a result, developers using this library in their applications are urged to update the software to the latest version, which is currently 3.11.2.
The warnings come in advisories from vm2 maintainer Patrik Simek.
vm2 is an open source vm/sandbox that can run untrusted code with whitelisted Node.js’s built-in modules.
One of the more serious of the 13 vulnerabilities is CVE-2026-26956, a full sandbox escape with arbitrary code execution. Attacker code that is inside VM.run() can obtain host process object a...