Shortly before the announcement, a vulnerability was discovered in vm2 for which there is no bug fix. The severity of the vulnerability is classified as critical with a CVSS score of 9.8 out of 10. This vulnerability allows attackers to bypass the promise handler’s sanitization and run arbitrary code, effectively breaking out of the sandbox. The security page of the project states that a proof of concept will be released on August 8th.
This latest vulnerability seems to be the final blow for the project, as there have been multiple critical vulnerabilities in vm2 over the past few months. In April and May of this year, the sandbox was affected by vulnerabilities, and there was already a vulnerability with a CVSS score of 10 in vm2 by the end of 2022. The growing complexity of Node.js also adds to the challenges faced by the project, making it unsustainable in the long term.