vm2 Sandbox Escapes: How 13 CVEs Put AI Code Interpreters at Risk

Thirteen critical vulnerabilities in vm2, the Node.js sandbox library, were disclosed in a coordinated release on May 4 and 5, 2026. The CVSS scores cluster around 9.8. For a security library, this is catastrophic. For AI security specifically, it exposes something structural: many AI agent frameworks with code interpretation capabilities use vm2 as their isolation layer. When vm2 breaks, the security boundary between what an LLM generates and what executes on the host collapses.

What vm2 Does and Where It Sits

vm2 is an open-source Node.js sandbox. It runs untrusted JavaScript code inside an isolated context, theoretically preventing that code from accessing Node.js built-ins, host filesystem, network stack, or system processes. The original use case was running user-submitted scripts safely. It became widely used in any Node.js environment that needed to execute untrusted code.

AI agent frameworks adopted it for code interpreter tools, where the agent generates JavaScript or TypeScript to accomplish a task and the framework executes it. The vm2 sandbox was meant to be the containment layer. A successful escape means the agent’s generated code reaches the host directly, with whatever permissions the Node.js process runs under.

The CVE Cluster

The May 2026 coordinated disclosure covered 13 advisories. The vulnerabilities break into several classes, each exploiting a different weakness in how vm2 enforces isolation.

CVE-2026-45411 (CVSS 9.8): The most widely covered. vm2’s async generator handling allowed an attacker to leverage the yield* expression inside an async generator to catch a host exception. When the generator closes via its return function, the value is awaited, and exceptions thrown within the then call are caught by the runtime and passed back to the yield* iterator as the next value. The sandbox’s isolation model does not intercept this exception path. Fixed in vm2 3.11.3.

CVE-2026-22709 (CVSS 9.8): Promise callback sanitization bypass disclosed in January 2026. The coordinated May disclosure built on this class. vm2 strips dangerous properties from objects passed into the sandbox but did not correctly handle all Promise callback scenarios, allowing controlled access to host-level primitives.

CVE-2026-24781 (CVSS 9.8): Sandbox escape via the Node.js inspect function. By triggering a specific inspect path inside the vm2 context, an attacker can reach out of the sandbox context into host-accessible code.

CVE-2026-44008: Affected financial infrastructure integrations (specifically flagged by SAMA bank risk advisories), indicating the library is embedded in production systems well beyond AI tooling.

The full cluster follows a pattern the vm2 maintainers have seen before. The library’s core isolation model relies on intercepting property access and function calls at the JavaScript layer, which is inherently brittle. Each new JavaScript runtime feature introduces potential escape paths that the sandbox’s interception model does not anticipate.

The AI Agent Chain

Microsoft Security Research named the structural problem explicitly in their “When Prompts Become Shells” blog post from May 7, 2026. In AI agent frameworks where prompts can influence executable logic, a sandbox escape converts prompt injection into host-level RCE. The chain looks like this:

1. Attacker delivers a prompt injection payload through any channel the agent consumes: tool output, retrieved document, user input, webhook data
2. The injected prompt causes the agent to generate code containing the sandbox escape payload
3. The agent executes that code in vm2
4. vm2’s isolation fails; the code escapes to the host process
5. Arbitrary commands run with the permissions of the Node.js process

Step 1 can happen through indirect prompt injection, which requires no direct user access to the agent. If the agent retrieves content from an attacker-controlled source, such as a web page, a Slack message, a document from an external system, that content can carry the payload.

Kodem Security documented the IOC pattern in their June analysis, noting that vm2 sandbox escapes had a fingerprinting characteristic in Node.js process behavior: unusual child process spawning from the Node.js parent, access to filesystem paths the agent should not reach, and network connections initiated by the Node.js process rather than through normal agent tool calls.

Affected Surface

The AI agent frameworks most directly at risk are those that:

• Include a code interpreter or code execution tool using vm2 as the sandbox
• Run in Node.js environments
• Allow agents to process external content (the indirect injection surface)

LangChain.js, several AutoGPT forks, and custom agent orchestration systems built on Node.js have all used vm2 as a code execution layer. The Kodem report notes that bundled vm2 dependencies are a particular problem: internal packages that ship vm2 as a transitive dependency without exposing it as a direct dependency, making version auditing harder.

Not every AI agent framework uses vm2. Python-based frameworks (LangChain Python, LlamaIndex, AutoGen) use different sandbox mechanisms. The exposure is specific to Node.js-based agent implementations with code execution capability.

Remediation

Upgrade to vm2 3.11.3 or later. The coordinated May 2026 release patched the known escape paths. If you are on an earlier version and cannot upgrade immediately, disabling code execution tools entirely is the only reliable mitigation. Partial sandboxing is not a meaningful control against a CVSS 9.8 escape.

Audit transitive dependencies. Run npm ls vm2 in affected repositories. Any version below 3.11.3 in the dependency tree, including transitive dependencies bundled by other packages, is a risk. Use npm audit and review the output for vm2 advisories.

Reconsider the architecture. vm2’s isolation model is JavaScript-level interception. Security engineers at Semgrep and Endor Labs have both noted that this approach is structurally fragile: each new JavaScript language feature is a potential escape path. For AI agents where code execution is a capability, isolation via a separate process (subprocess execution) or a container boundary provides significantly stronger guarantees than a same-process JavaScript sandbox. Subprocess execution with explicit capability limits, or containerization with a read-only filesystem and no network access, raises the bar meaningfully above what vm2 can provide.

Monitor agent process behavior. Anomalous child process spawning from Node.js, unexpected filesystem access, and network connections outside expected agent tool paths are all indicators of sandbox escape exploitation. Add detection for these patterns in environments running AI agents.

Apply prompt injection controls upstream. Sandbox escape is the downstream consequence. Reducing the prompt injection surface reduces the probability of the chain completing. Content from external sources should be sanitized before inclusion in agent context, and agent instructions should explicitly prohibit treating retrieved content as executable instructions.

References

• The Hacker News — vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution
• Kodem Security — vm2 Sandbox Escape: AI Agent RCE Risk and IOCs
• NVD — CVE-2026-45411
• TheHackerWire — vm2 Sandbox Escape to RCE (CVE-2026-45411)
• Endor Labs — Critical Sandbox Escape in vm2 Enables Arbitrary Code Execution
• Semgrep — Calling Back to vm2 and Escaping the Sandbox
• Microsoft Security Blog — When Prompts Become Shells
• ZeroPath — CVE-2026-24781: vm2 Sandbox Escape via inspect Function