The operator of the JavaScript sandbox vm2 has announced the end of the open source project. Patrik Simek, the initiator of the project, explained on GitHub that the library contains critical security problems and is not suitable for productive operation. As an alternative, he recommends the open-source isolated-vm.
Shortly before the announcement, a vulnerability was discovered in vm2 for which there is no bug fix. The severity of the vulnerability is classified as critical with a CVSS score of 9.8 out of 10. This vulnerability allows attackers to bypass the promise handler’s sanitization and run arbitrary code, effectively breaking out of the sandbox. The security page of the project states that a proof of concept will be released on August 8th.
This latest vulnerability seems to be the final blow for the project, as there have been multiple critical vulnerabilities in vm2 over the past few months. In April and May of this year, the sandbox was affected by vulnerabilities, and there was already a vulnerability with a CVSS score of 10 in vm2 by the end of 2022. The growing complexity of Node.js also adds to the challenges faced by the project, making it unsustainable in the long term.
In light of these issues, the updated readme of vm2 declares the end of the project. Simek recommends that vm2 users switch to isolated-vm, an alternative JavaScript library that provides multiple isolated JavaScript environments using the Isolate interface of the JavaScript engine V8. This transition is seen as a more secure option for users going forward.
