FixVibe

// código / holofote

vm2 Sandbox Breakout Advisory

A vulnerable JavaScript sandbox dependency can put untrusted-code boundaries at risk.

A pegada

vm2 is commonly used where an app needs to evaluate JavaScript while limiting what that code can reach. When a vulnerable vm2 release is present, teams should treat the sandbox boundary as a patch priority, especially for tenant scripts, plugins, workflow expressions, or AI/tool-generated code.

Como funciona

The repo check looks for the npm package `vm2` in dependency manifests and lockfiles. Exact lockfile versions produce high-confidence findings; broader manifest ranges are reported as version evidence when they can resolve to an affected release.

O raio de impacto

If a deployed app executes attacker-controlled code through an affected vm2 runtime, the sandbox may no longer be a reliable isolation layer. A repo match is dependency evidence, not proof that untrusted code reaches vm2 or that host command execution occurred.

// o que o fixvibe verifica

O que o FixVibe verifica

FixVibe repo scans look for high-confidence security patterns and dependency risk in source context. Reports identify the affected area and recommended fix. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Defesas blindadas

Upgrade `vm2` to 3.11.4 or newer, regenerate the active lockfile, rebuild the deployed Node.js runtime, and rerun the repo scan. If vm2 protects untrusted-code workflows, review queued inputs, tenant scripts, plugin data, logs, and credentials available to the Node.js process before treating the incident as closed.

// rode no seu próprio app

Continue publicando enquanto o FixVibe vigia.

O FixVibe pressiona a superfície pública do seu app do jeito que um atacante faria — sem agente, sem instalação, sem cartão. Continuamos pesquisando novos padrões de vulnerabilidade e transformando isso em checks práticos e fixes prontos para Cursor, Claude e Copilot.

Código fonte
116
testes nessa categoria
módulos
76
checks dedicados de código fonte
todo scan
487+
testes em todas as categorias
  • Grátis — sem cartão, sem instalação, sem ping de Slack
  • Só colar uma URL — a gente crawla, sonda e reporta
  • Achados classificados por severidade, deduplicados no sinal
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Rodar um scan grátis

// checks atuais · fixes práticos · publique com confiança

vm2 Sandbox Breakout Advisory — Holofote de Vulnerabilidade | FixVibe · FixVibe