Safeguard
Application Security

Security concerns of using the Node.js VM module as a sandbox

Node's vm module and vm2 were never a security boundary. Four critical CVEs and a 2023 deprecation prove why untrusted-code sandboxes need real isolation.

Hritik Sharma
Security Engineer
1 min read

Node.js ships a built-in vm module that lets you compile and run JavaScript inside a separate V8 context — and for over a decade, teams have reached for it to run plugin code, user-submitted scripts, CI/CD tasks, and third-party config files "safely." The problem: Node's own documentation states plainly that vm "is not a security mechanism" and "should not be used to run untrusted code." Developers ignore that warning constantly, and the consequences have been severe. The most popular userland wrapper built on top of vm, the vm2 package, was hit with at least four critical sandbox-escape CVEs between August 2022 and August 2023 — including one scoring a perfect CVSS 10.0 — before its maintainers deprecated the project outright in September 2023. This post breaks down why vm-based isolation fails, how attackers actually escape it, and what to run instead if your product executes code you don't control.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.