A critical vulnerability (CVE-2026-22709) has been identified in the vm2 sandbox library for Node.js, widely used to isolate code execution. Security researchers warn this flaw enables attackers to escape the sandbox, potentially granting system-level access and allowing malicious command execution on affected hosts.
Vm2 is commonly used in SaaS platforms, online code editors, and testing tools, making the risk widespread. Organisations using vm2 should urgently apply patches or review alternative solutions. The incident serves as a sharp reminder that trusted sandboxes can harbour flaws; security teams must regularly audit dependencies and maintain rigorous controls for handling user-supplied code. Review your threat models to ensure they do not overestimate isolation assurances.
Critical Sandbox Escape Vulnerability CVE-2026-22709 Discovered in vm2 Node.js Library
