FixVibe

// code / spotlight

vm2 Sandbox Breakout Advisory

A vulnerable JavaScript sandbox dependency can put untrusted-code boundaries at risk.

L'accroche

vm2 is commonly used where an app needs to evaluate JavaScript while limiting what that code can reach. When a vulnerable vm2 release is present, teams should treat the sandbox boundary as a patch priority, especially for tenant scripts, plugins, workflow expressions, or AI/tool-generated code.

Comment ça marche

The repo check looks for the npm package `vm2` in dependency manifests and lockfiles. Exact lockfile versions produce high-confidence findings; broader manifest ranges are reported as version evidence when they can resolve to an affected release.

Le rayon d'impact

If a deployed app executes attacker-controlled code through an affected vm2 runtime, the sandbox may no longer be a reliable isolation layer. A repo match is dependency evidence, not proof that untrusted code reaches vm2 or that host command execution occurred.

// ce que fixvibe vérifie

Ce que FixVibe vérifie

FixVibe repo scans look for high-confidence security patterns and dependency risk in source context. Reports identify the affected area and recommended fix. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Défenses blindées

Upgrade `vm2` to 3.11.4 or newer, regenerate the active lockfile, rebuild the deployed Node.js runtime, and rerun the repo scan. If vm2 protects untrusted-code workflows, review queued inputs, tenant scripts, plugin data, logs, and credentials available to the Node.js process before treating the incident as closed.

// lance-le sur ta propre app

Continue de shipper pendant que FixVibe veille.

FixVibe sonde la surface publique de ton app comme le ferait un attaquant — sans agent, sans install, sans carte. Nous continuons à rechercher de nouveaux schémas de vulnérabilités et à les transformer en checks pratiques et correctifs prêts pour Cursor, Claude et Copilot.

Code source
116
tests dans cette catégorie
modules
76
vérifications code source dédiées
chaque scan
487+
tests sur toutes les catégories
  • Gratuit — sans carte, sans install, sans ping Slack
  • Colle juste une URL — on crawle, on sonde, on rapporte
  • Findings classés par sévérité, dédupliqués au signal
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Lancer un scan gratuit

// checks récents · correctifs pratiques · shippe sereinement

vm2 Sandbox Breakout Advisory — Focus vulnérabilité | FixVibe · FixVibe