heise online

JavaScript Sandbox vm2: Critical Vulnerability Allows Escape

vm2 is a JavaScript sandbox for Node.js. Its development was actually discontinued in 2023. Another security vulnerability has been discovered in the software, allowing an escape from the secured ...
Dark Reading

Critical Open Source vm2 Sandbox Escape Bug Affects Millions

A remote code execution (RCE) vulnerability in a widely used JavaScript sandbox has earned a top rating of 10 on the CVSS vulnerability risk scale; it allows threat actors to execute a sandbox escape ...
Bleeping Computer

Critical VM2 flaw lets attackers run code outside the sandbox

Researchers are warning of a critical remote code execution flaw in 'vm2', a JavaScript sandbox library downloaded over 16 million times per month via the NPM package repository. The vm2 vulnerability ...