vm2
vm2 is a Node.js sandbox for running untrusted code with a separate V8 isolate. It sits in the ecosystem next to tooling that evaluates user-supplied scripts, plugins, or agent payloads. Sandbox escape CVEs routinely reach critical CVSS scores because exploitation yields host-level code execution relative to the parent process. NVD tracks the package as cpe:2.3:a:vm2_project:vm2.
Querying vm2
vm23.9.10, 3.9.19, semvercurl "https://api.attestd.io/v1/check?product=vm2&version=3.9.10" \
-H "Authorization: Bearer $ATTESTD_KEY"vm2 3.9.10 sits in overlapping ranges for sandbox escape CVEs including CVE-2022-36067 (CVSS 10.0) and CVE-2023-32314 (CVSS 9.8). Expect aggregated risk_state: "critical".
{
"product": "vm2",
"version": "3.9.10",
"supported": true,
"risk_state": "critical",
"risk_factors": [
"remote_code_execution",
"no_authentication_required",
"patch_available"
],
"actively_exploited": false,
"remote_exploitable": true,
"authentication_required": false,
"patch_available": true,
"fixed_version": "3.9.11",
"confidence": 0.88,
"cve_ids": ["CVE-2022-36067", "CVE-2023-32314"],
"last_updated": "2026-02-23T18:21:30Z",
"supply_chain": null
}vm2 3.9.19 has no known relevant vulnerabilities at the time of the last synthesis run.
curl "https://api.attestd.io/v1/check?product=vm2&version=3.9.19" \
-H "Authorization: Bearer $ATTESTD_KEY"CVE history
vm2's CVE record is concentrated in sandbox escape primitives in the isolate bridge. Because many deployments wrap vm2 behind services that expose user-supplied snippets, any escape is effectively remote code execution in the embedding application.
| CVE | Description | Affects | CVSS |
|---|---|---|---|
CVE-2022-36067 | Sandbox escape allowing arbitrary host code execution from crafted JavaScript executed inside vm2. | < 3.9.11 | 10.0 |
CVE-2023-32314 | Sandbox escape via prototype chain manipulation yielding host-accessible execution. | < 3.9.17 | 9.8 |