vm2
-
vm2 library hit by a dozen critical Node.js sandbox escape flaws
A dozen critical vm2 vulnerabilities disclosed on May 7, 2026 can let attackers escape Node.js sandboxes, run code on the host and bypass allowlists. Fixes are available in vm2 3.11.2 and earlier patch releases.
-
Critical vm2 sandbox escape CVE-2026-22709 allows arbitrary code execution
A critical sandbox escape in the vm2 Node.js library, tracked as CVE-2026-22709 and rated CVSS 9.8, lets attackers run code on host systems. Users should update to vm2 3.10.3.
