Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-47208

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.4.

View on NVD

Analysis

La popular biblioteca vm2 para Node.js presenta una vulnerabilidad de escape de sandbox que permite a un atacante ejecutar comandos arbitrarios directamente en el sistema host. Al obtener control total sobre el entorno de ejecución, esta falla compromete la integridad de cualquier servidor o contenedor que dependa de vm2 para aislar código. Se recomienda actualizar a la versión 3.11.4 de manera inmediata.

Relevant roles

JavascriptTypescriptBackendCyberSecurityLinuxDocker

Severity

Score: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-913

EPSS

Probability of exploitation (next 30 days): 0.0047 (0.5%)
Percentile: 65.2%
EPSS: 2026-06-12

Technical description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.4.

Published: 6/12/2026, 3:16:28 PM
Last modified: 6/12/2026, 4:16:29 PM

References

HomeEventsBlogResourcesTeam