Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-47140

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.

View on NVD

Analysis

La librería vm2 para Node.js presenta una falla crítica que permite a código dentro del sandbox escapar y ejecutar comandos arbitrarios en el proceso host. Al no restringir adecuadamente los módulos process e inspector/promises, un atacante puede lograr la ejecución total de código en el servidor. Es imperativo actualizar a la versión 3.11.4 para mitigar este riesgo de severidad máxima.

Relevant roles

JavascriptTypescriptBackendCyberSecurity

Severity

Score: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-693

EPSS

Probability of exploitation (next 30 days): 0.0013 (0.1%)
Percentile: 33.2%
EPSS: 2026-06-12

Technical description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.

Published: 6/12/2026, 3:16:28 PM
Last modified: 6/12/2026, 5:16:23 PM

References

HomeEventsBlogResourcesTeam