Dozen Critical Vulnerabilities in vm2 Node.js Library Enable Sandbox Escape and RCE

Twelve critical security vulnerabilities have been disclosed in vm2, the widely used Node.js library for running untrusted JavaScript inside a sandbox. The flaws allow attackers to escape the sandbox and execute arbitrary code on the underlying host system. vm2 is a common dependency in Node.js tooling and developer platforms that isolate untrusted code execution, making this a significant supply-chain exposure for JavaScript ecosystems. Teams using vm2 should prioritize patching and assess downstream exposure in any tooling or CI/CD infrastructure that embeds the library.