Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
It's possible to escape the NodeVM through access to host objects, specifically through an exception. Some host objects are accessible from the VM's pseudo Nodejs events.
In fact, the next escape will always be there from somebody clever. Nodejs's vm module that this builds upon states:
I don't believe something that builds upon it can claim to be secure to untrusted code as the README states.
@eugenekolo Thank you for reporting the issue; it's fixed in 3.6.1.
The statement on Node's VM module is really important because Node's internal VM is not intended to run untrusted code. That's why I started this project - to make an additional layer that makes the context secure enough to run untrusted code.
And as with every software out there that claims to be secure - it is safe until someone finds the way how to break it.