Web Hacking Members Only

Node.js vm2 Sandbox Escape

Run someone else’s JavaScript inside your own Node process and call it a “sandbox,” and you’ve already lost — you just don’t know it yet. The built-in vm escapes in one line. vm2 fought that fight for years with proxies and rewrites, and lost again and again, until its authors gave up and told everyone to stop using it.

Related Articles