A crucial vulnerability has been patched in vm2, a extensively used library for the Node.js JavaScript runtime that permits untrusted code to be executed inside a sandbox throughout the similar course of as trusted utility code. The flaw permits for a sandbox escape, which is as critical because it will get for a software program part whose major objective is imposing a safety boundary between trusted and untrusted code.
The vm2 library, which is listed as a dependency by virtually 900 different packages on NPM and plenty of initiatives on GitHub, will not be a stranger to sandbox escape vulnerabilities. In truth, in July 2023, its creator determined to cease sustaining the challenge and deprecate it after one such vulnerability.
Regardless of the challenge being unmaintained, within the absence of excellent options, folks have stored utilizing it, resulting in tens of millions of downloads each month. In October 2025, the unique maintainer determined to resurrect the challenge after patching all previous vulnerabilities and saying plans to rewrite it in TypeScript.
