Critical vm2 Node.js flaw allows sandbox escape and arbitrary code execution Source: The Hacker News thehackernews.com/2026/01/c… A critical vulnerability in the vm2 Node.js sandbox library, tracked as CVE-2026-22709, could allow an attacker to escape the sandbox and execute arbitrary code on the host operating system. The issue is particularly relevant for systems that run untrusted JavaScript in “sandboxed” contexts and rely on vm2 for isolation.
Critical vm2 Node.js flaw allows sandbox escape and arbitrary code execution
Edward Kiledjian
@ekiledjian