Security researchers have revealed 12 critical vulnerabilities affecting the popular vm2 Node.js library, exposing applications to sandbox escapes and remote code execution attacks.
The vm2 package is widely used by developers to safely run untrusted JavaScript code inside isolated environments. The library creates a sandbox by intercepting and proxying JavaScript objects to stop malicious code from interacting with the underlying operating system or host application.
Researchers now warn that multiple newly discovered flaws allow attackers to completely bypass those protections and execute arbitrary code directly on affected systems.
Several of the vulnerabilities carry critical CVSS severity scores ranging from 9.1 to 10.0, making them highly dangerous for organizations relying on vm2 in production environments.
Among the most severe issues is CVE-2026-43997, which allows attackers to escape the sandbox by obtaining access to the host Object, ultimately leading to arbitrary code execution.
Another critical flaw, CVE-2026-44006, abuses the “BaseHandler.getPrototypeOf” mechanism to achieve remote code execution on the host system.
Researchers also identified vulnerabilities tied to “lookupGetter“, “inspect”, “SuppressedError”, and several JavaScript prototype handling mechanisms that attackers can exploit to break out of the sandbox.
One of the vulnerabilities, CVE-2026-43999, allows attackers to bypass NodeVM restrictions and load dangerous built-in modules such as “child_process,” enabling execution of operating system commands.
Additional flaws affect how vm2 handles array species manipulation, null prototype exceptions, and Symbol-to-string coercion errors. Some vulnerabilities also enable prototype pollution attacks that could further compromise applications using the library.
The vulnerabilities impact several vm2 versions, including releases prior to 3.11.2. Security fixes have been rolled out across versions 3.10.5, 3.11.0, 3.11.1, and the latest release 3.11.2, which is currently recommended for users.
The disclosure follows another critical vm2 sandbox escape vulnerability, CVE-2026-22709, which was patched earlier this year by vm2 maintainer Patrik Simek.
The growing number of sandbox escape vulnerabilities highlights the ongoing difficulty of securely isolating untrusted JavaScript code inside Node.js environments. Even minor weaknesses in sandbox logic can give attackers a direct path to the host system.
Security experts are urging developers and organizations using vm2 to immediately update to version 3.11.2 and review applications that rely on sandboxed JavaScript execution.
The latest discoveries also reinforce broader concerns around open-source software security and the risks associated with third-party libraries commonly integrated into modern applications.