A essential vulnerability has been patched in vm2, a extensively used library for the Node.js JavaScript runtime that enables untrusted code to be executed inside a sandbox throughout the similar course of as trusted software code. The flaw permits for a sandbox escape, which is as severe because it will get for a software program part whose main objective is imposing a security boundary between trusted and untrusted code.
The vm2 library, which is listed as a dependency by nearly 900 different packages on NPM and plenty of initiatives on GitHub, just isn’t a stranger to sandbox escape vulnerabilities. Actually, in July 2023, its creator determined to cease sustaining the undertaking and deprecate it after one such vulnerability.
Regardless of the undertaking being unmaintained, within the absence of excellent options, individuals have saved utilizing it, resulting in thousands and thousands of downloads each month. In October 2025, the unique maintainer determined to resurrect the undertaking after patching all previous vulnerabilities and saying plans to rewrite it in TypeScript.
