Deno released Sandbox today, targeting platforms that execute LLM-generated code without human review. The service addresses a specific problem: untrusted code that calls external APIs with credentials. Basic compute sandboxing isn't enough when the code needs network access and secrets.
Sandbox uses lightweight Linux microVMs (Firecracker, under 200ms startup) with two security layers. First, network egress control limits outbound connections to approved hosts. Second, secrets never enter the environment as plaintext. Code sees only a placeholder token. The real credential materialises only when the sandbox makes a request to an approved host, implemented via an outbound proxy similar to coder/httpjail. If prompt-injected code tries to exfiltrate that placeholder elsewhere, it's useless.
The service includes a sandbox.deploy() call that ships code directly to Deno Deploy production without rebuilding. Defaults are 2 vCPUs, 512MB RAM, 10GB disk (adjustable). Pricing is $0.05/hour CPU time, $0.016/GB-hour memory, with 40 hours and 1000 GB-hours included in the Pro plan.
History suggests caution. A Windows command injection vulnerability (CVE-2026-22864) recently broke Deno's sandboxing model via batch file extensions. GitHub discussions question whether base Deno is safe for untrusted code due to potential file, network, and environment access gaps. The broader ecosystem has struggled: vm2's critical escape flaw (CVE-2026-22709, CVSS 9.8) from Promise mishandling led maintainers to warn of future bypasses and recommend V8 Isolates or Docker instead. N8N workflow sandboxes failed similarly with CVSS scores up to 9.9 on AST sanitisation issues.
Deno Sandbox is in beta, available in Amsterdam and Chicago regions. The service includes volume persistence for stateful workloads and snapshot support for pre-installed toolchains. Enterprise customers get SOC2, ISO27001 certification, and HIPAA BAA.
Worth noting: the technical approach is sound, but sandbox escape vulnerabilities have a pattern of emerging over time. The proof will be in production use and how quickly Deno patches any bypasses that surface.