JavaScript Sandbox vm2: Critical Vulnerability Allows Escape

The JavaScript sandbox vm2 for Node.js was actually discontinued. Now an update closes a critical security vulnerability.
至顶头条 on MSN

vm2库沙箱逃逸漏洞致任意代码执行风险

热门Node.js库vm2被曝出严重沙箱逃逸漏洞CVE-2026-22709,CVSS评分9.8分。该漏洞源于Promise处理程序的不当清理,攻击者可利用此漏洞逃脱沙箱并在底层操作系统执行任意代码。漏洞已在3.10.2版本中修复,但这是该库近年来遭遇的一系列沙箱逃逸漏洞之一。维护者建议用户及时更新并考虑使用isolated-vm等更安全的替代方案。
CSO Online

Critical bug in popular vm2 Node.js sandboxing library puts projects at risk

Sandbox escape vulnerability in vm2, used by nearly 900 NPM packages, allows attackers to bypass security protections and ...