The maintainers of the vm2 JavaScript sandbox module have shipped a patch to address a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcode. The flaw, which affects all versions, including and prior to 3.9.14, wasreportedby researchers from South Korea-basedKAIST WSP Labon April 6, 2023, prompting vm2 to release a fix withversion 3.9.15on