Node.js ships a built-in vm module that lets you compile and run JavaScript inside a separate V8 context — and for over a decade, teams have reached for it to run plugin code, user-submitted scripts, CI/CD tasks, and third-party config files "safely." The problem: Node's own documentation states plainly that vm "is not a security mechanism" and "should not be used to run untrusted code." Developers ignore that warning constantly, and the consequences have been severe. The most popular userland wrapper built on top of vm, the vm2 package, was hit with at least four critical sandbox-escape CVEs between August 2022 and August 2023 — including one scoring a perfect CVSS 10.0 — before its maintainers deprecated the project outright in September 2023. This post breaks down why vm-based isolation fails, how attackers actually escape it, and what to run instead if your product executes code you don't control.
Application Security
Security concerns of using the Node.js VM module as a sandbox
Node's vm module and vm2 were never a security boundary. Four critical CVEs and a 2023 deprecation prove why untrusted-code sandboxes need real isolation.
Hritik Sharma
Security Engineer
1 min read
More on #nodejs-security
View allContainer Security
How to Containerize a Node.js App Securely
6 min read
Application Security
How to prevent log injection vulnerabilities in Node.js
6 min read
Application Security
Comparing Node.js frameworks for security: Express, Fastify, NestJS
7 min read
Application Security
5 Node.js security code snippets every backend developer should know
8 min read
Related articles in Application Security
Application Security
Finding vulnerable code hidden inside shaded and uber JARs
JFrog found 65% of Log4Shell-affected artifacts embedded raw .class files instead of a jar — invisible to scanners that only read pom.xml metadata.
July 16, 2026Read
Application Security
ESLint rules for detecting Trojan Source (bidi Unicode) attacks in JS/TS
A single invisible Unicode character can flip how code executes versus how it reads on screen. Here's how to configure ESLint to catch it.
July 16, 2026Read
Application Security
Jackson ObjectMapper and the gadget-chain trap: safe polymorphic deserialization
One FasterXML fix in 2017 spawned nearly 30 follow-up CVEs. Here's how Jackson's polymorphic typing enables RCE, and how to configure ObjectMapper safely.
July 16, 2026Read
Never miss an update
Weekly insights on software supply chain security, delivered to your inbox.