:

CRITICAL VM2 BUG ALLOWS CODE EXECUTION ON HOST

INDUSTRY DESK2 MIN READ
WED, MAY 6, 2026

■ AI-SUMMARIZED FROM 1 SOURCE ▸ TIMELINE

A critical vulnerability in Node.js sandbox library vm2 enables attackers to escape the sandbox and execute arbitrary code on host systems. The flaw affects versions prior to the latest patch.

■ The Vulnerability vm2, a widely-used Node.js library for creating isolated virtual machine contexts, contains a critical sandbox escape vulnerability. The bug allows malicious code running inside the sandbox to break out and execute commands on the underlying host system with full privileges. ■ Impact Any application using vm2 to execute untrusted code faces immediate risk. Attackers can leverage the vulnerability to: - Execute arbitrary system commands - Access sensitive files and environment variables - Compromise the entire host machine - Potentially pivot to other systems on the network The vulnerability carries a CVSS score of 9.8, indicating critical severity. ■ Affected Versions The flaw affects all versions of vm2 prior to the patched release. Organizations using vm2 for code sandboxing—common in platforms that execute user-submitted code, educational tools, and code-as-a-service platforms—should prioritize immediate updates. ■ Recommended Actions Developers should: 1. Update immediately to the latest patched version of vm2 2. Audit dependencies to confirm vm2 usage across their codebase 3. Review access logs for signs of exploit attempts 4. Assume compromise if untrusted code was executed prior to patching ■ Timeline The vulnerability was identified by security researchers and disclosed responsibly to the vm2 maintainers. A patch has been released. Users should treat this as a high-priority security update. vm2 is installed millions of times monthly, making this a widespread exposure affecting numerous projects and platforms across the Node.js ecosystem.

■ SOURCES

Bleeping Computer

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

Grok CLI experienced a critical bug that caused it to upload entire home directories to Google Cloud Storage. The issue sparked significant discussion in the developer community about data handling practices.

JUST NOWIndustry Desk

Aylo, Pornhub's parent company, will restore access to the site in the UK through Apple's device-level age verification system in iOS 26.4. The move requires users to complete age verification before accessing the platform.

1H AGOIndustry Desk

Australia's eSafety Commissioner has identified significant gaps in how major tech platforms address online sexual extortion. Young men are reporting sextortion at higher rates than any other demographic, with over 2,000 complaints filed in just six months.

1H AGOIndustry Desk

Angelo Martino, a ransomware negotiator, was sentenced to 70 months in prison for colluding with attackers to defraud victims. Martino helped orchestrate scams that extracted over $75 million from ransomware victims.

1H AGOSecurity Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.