Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-47131

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__"), Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__"), and Node.js's ERR_INVALID_ARG_TYPE Error, the host's TypeError constructor can be obtained, which allows the escape from the sandbox. This allows attackers to run arbitrary code. This issue has been patched in version 3.11.4.

View on NVD

Analysis

La biblioteca vm2 para Node.js presenta una vulnerabilidad de severidad máxima que permite a un atacante escapar del sandbox y ejecutar código arbitrario directamente en el servidor host. Mediante la manipulación de constructores internos de Node.js, un usuario malintencionado puede tomar control total del sistema operativo donde corre el proceso. Se recomienda actualizar inmediatamente a la versión 3.11.4 para mitigar este riesgo de ejecución remota de código.

Relevant roles

JavascriptTypescriptBackendCyberSecurity

Severity

Score: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-913

EPSS

Probability of exploitation (next 30 days): 0.0007 (0.1%)
Percentile: 21.2%
EPSS: 2026-06-12

Technical description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__"), Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__"), and Node.js's ERR_INVALID_ARG_TYPE Error, the host's TypeError constructor can be obtained, which allows the escape from the sandbox. This allows attackers to run arbitrary code. This issue has been patched in version 3.11.4.

Published: 6/12/2026, 3:16:27 PM
Last modified: 6/13/2026, 4:17:30 AM

References

HomeEventsBlogResourcesTeam