AIKIDO-2026-10689
vm2 is vulnerable to Remote Code Execution (RCE)
91
Critical Risk
This Affects:
vm2TL;DR
With nesting: true, the resolver path merges a nesting override that always exposes the vm2 builtin into the sandbox module graph even when the host chose require: false to deny every module. Sandbox code can therefore require('vm2'), construct a fresh inner NodeVM with its own require policy including host builtins such as child_process, and run operating-system commands outside the intended isolation. The patch rejects the contradictory option pair at construction time with a clear VMError so embedders cannot silently build a host-equivalent environment while believing require is fully disabled.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and your application runs untrusted or user-supplied code inside a NodeVM with nesting: true.
Background info
vm2 is vulnerable to Remote Code Execution (RCE) in versions 0.0.1 - 3.11.0.
How to fix this
Upgrade the vm2 library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant