Security researchers have disclosed 12 high-severity vulnerabilities affecting the widely used vm2 Node.js library, raising serious concerns for developers and organizations that rely on the package to securely execute untrusted JavaScript code.
The open-source vm2 library is commonly used to isolate JavaScript execution inside sandboxed environments. It works by intercepting and proxying JavaScript objects to prevent malicious code from interacting directly with the host system. However, researchers say multiple newly discovered flaws allow attackers to completely bypass those protections.
Several of the vulnerabilities carry CVSS scores between 9.8 and 10.0, making them critical security risks capable of enabling sandbox escapes, arbitrary command execution, prototype pollution, and remote code execution on the host machine.
Among the most severe flaws is CVE-2026-43997, a critical code injection vulnerability that allows attackers to obtain access to the host Object and break out of the sandbox environment. Another critical flaw, CVE-2026-44006, enables remote code execution through the “BaseHandler.getPrototypeOf” mechanism.
Researchers also identified vulnerabilities involving JavaScript features such as “lookupGetter“, “inspect”, “SuppressedError”, and Symbol-to-string coercion, all of which can be abused to escape the sandbox and execute arbitrary commands on underlying systems.
One of the vulnerabilities, CVE-2026-43999, allows attackers to bypass NodeVM’s built-in allowlist protections and load restricted Node.js modules such as “child_process,” which can then be used to execute operating system commands directly.
Other flaws impact the library’s handling of array species manipulation, null prototype exceptions, and prototype pollution, further weakening vm2’s isolation mechanisms.
According to researchers, affected versions range across multiple vm2 releases, including versions prior to 3.11.2. Several vulnerabilities were patched in versions 3.10.5, 3.11.0, 3.11.1, and finally 3.11.2, which is currently the recommended secure release.
The disclosure comes only months after vm2 maintainer Patrik Simek addressed another critical sandbox escape vulnerability tracked as CVE-2026-22709.
Security experts say the growing number of sandbox escape flaws highlights the difficulty of safely isolating untrusted JavaScript code inside Node.js environments. Even small implementation weaknesses can allow attackers to bypass protections entirely and gain direct access to host systems.
Developers and organizations using vm2 are strongly advised to immediately upgrade to version 3.11.2 or later to reduce exposure to these newly disclosed vulnerabilities.
The latest discoveries also serve as another reminder of the increasing security challenges surrounding JavaScript sandboxing technologies and third-party open-source dependencies widely used in production environments.