vm2 flaws show why AI agents need real sandboxes

What this is about

On May 7, 2026, security outlets reported several critical vulnerabilities in vm2, a popular Node.js library for running untrusted JavaScript code inside a sandbox. GitHub advisories describe sandbox escapes that can let attackers execute code on the host system.

This is not only relevant for traditional web services. Many automation platforms, coding assistants and AI agents run small scripts, plugins or user-defined logic. If isolation breaks, what should have been a limited tool call can become potential access to files, environment variables or internal systems.

What vm2 actually does

vm2 tries to run JavaScript code in a controlled environment. The library wraps objects, blocks direct access to Node.js internals such as process, and is meant to prevent untrusted code from jumping out of the sandbox into the host system.

The reported flaws show exactly that boundary failing. One advisory describes abusing __lookupGetter__, Buffer.apply and prototype access to reach host functions. Another analysis explains how error objects can leak back into the sandbox through WebAssembly exception handling in specific Node.js environments.

Why it matters

Sandboxing is one of the core assumptions behind modern AI tools. An agent should be able to test code, analyze files or run small automations without endangering the whole system. If a JavaScript sandbox is used for that, it has to withstand exactly these boundary-crossing attacks.

vm2 is also not a tiny package. BleepingComputer cites more than 1.3 million weekly npm downloads. Even if not every installation protects AI agents, the lesson is clear: language-model agents put more pressure on isolation layers because they combine dynamic code, external content and tool calls more often.

In plain language

A sandbox is like a play area in a restaurant: children can play, but they cannot run into the kitchen. The vm2 flaws are like a hidden door behind the ball pit that leads straight to the stove. At that point, a sign saying “please stay out of the kitchen” is not enough; the door has to be technically locked.

A practical example

A SaaS service lets customers write their own JavaScript rules for data imports. Each day, 20,000 rules run, supposedly isolated by vm2. An attacker uploads a crafted rule that escapes the sandbox and reads environment variables on the host. If database tokens or API keys are stored there, a scripting feature becomes an infrastructure incident. That is why secret scoping, container isolation and fast updates belong together.

Scope and limits

• Not every vm2 installation is automatically exploitable. Individual advisories name specific version and runtime conditions, including certain Node.js and WebAssembly configurations.
• A single library is not a complete security architecture. Anyone running untrusted code needs additional boundaries such as containers, seccomp, network rules, short-lived tokens and separated secrets.
• The incident does not prove that a specific AI agent was compromised. It does show that agent and plugin platforms need to regularly re-check their sandboxing assumptions.

SEO & GEO keywords

vm2, Node.js sandbox, CVE-2026-24118, CVE-2026-26956, sandbox escape, AI agents, JavaScript security, npm, remote code execution, tool isolation, coding agents, software supply chain