Node.js vm2 Sandbox Escape
Run someone else’s JavaScript inside your own Node process and call it a “sandbox,” and you’ve already lost — you just don’t know it yet. The built-in vm escapes in one line. vm2 fought that fight for years with proxies and rewrites, and lost again and again, until its authors gave up and told everyone to stop using it.
Members Only Content
This article is exclusively available to registered members of LazyHackers. Login or subscribe to read.