Security researchers have disclosed a dozen critical vulnerabilities in vm2, an open-source Node.js library designed to safely execute untrusted JavaScript code in isolation. The flaws could allow attackers to break out of the sandbox and run arbitrary code on vulnerable systems.