Home

vm2

Vm2 is a Node.js library that provides sandboxed execution for untrusted JavaScript code. It builds on the V8 engine’s ability to create isolated contexts and enhances it with safeguards and conveniences for running third-party or user-supplied scripts in a server environment. The project offers two main interfaces: VM and NodeVM. VM runs code in a strict sandbox without access to Node’s require or process by default, while NodeVM can optionally enable requiring external modules inside the sandbox, still enforcing isolation. A sandbox object can be supplied to share data with and from the running code. Additional options typically include execution timeout, console handling, and module access controls.

Vm2 is commonly used for evaluating user-submitted code, executing plugins, or safely running untrusted scripts within

Security considerations are central to vm2. While the library strengthens isolation compared with a plain VM,

See also: similar sandboxing tools and related Node.js modules that provide isolated execution environments.

a
larger
application.
It
provides
mechanisms
to
capture
or
redirect
console
output,
preload
modules,
and
restrict
file
system
or
network
access
as
part
of
its
configuration.
The
design
aims
to
strike
a
balance
between
usefulness
and
safety,
offering
a
more
convenient
and
configurable
alternative
to
the
built-in
Node.js
vm
module.
it
is
not
guaranteed
to
be
an
impenetrable
security
boundary.
The
project
advises
treating
vm2
as
a
strong
but
not
perfect
containment
mechanism
and
recommends
several
best
practices,
such
as
running
code
in
a
separate
process
for
hard
isolation
and
keeping
dependencies
up
to
date
to
address
discovered
vulnerabilities.