CRITICAL VM2 BUG ALLOWS CODE EXECUTION ON HOST

■ The Vulnerability vm2, a widely-used Node.js library for creating isolated virtual machine contexts, contains a critical sandbox escape vulnerability. The bug allows malicious code running inside the sandbox to break out and execute commands on the underlying host system with full privileges. ■ Impact Any application using vm2 to execute untrusted code faces immediate risk. Attackers can leverage the vulnerability to: - Execute arbitrary system commands - Access sensitive files and environment variables - Compromise the entire host machine - Potentially pivot to other systems on the network The vulnerability carries a CVSS score of 9.8, indicating critical severity. ■ Affected Versions The flaw affects all versions of vm2 prior to the patched release. Organizations using vm2 for code sandboxing—common in platforms that execute user-submitted code, educational tools, and code-as-a-service platforms—should prioritize immediate updates. ■ Recommended Actions Developers should: 1. Update immediately to the latest patched version of vm2 2. Audit dependencies to confirm vm2 usage across their codebase 3. Review access logs for signs of exploit attempts 4. Assume compromise if untrusted code was executed prior to patching ■ Timeline The vulnerability was identified by security researchers and disclosed responsibly to the vm2 maintainers. A patch has been released. Users should treat this as a high-priority security update. vm2 is installed millions of times monthly, making this a widespread exposure affecting numerous projects and platforms across the Node.js ecosystem.