Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-47140

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.

Ver en NVD

Análisis

La librería vm2 para Node.js presenta una falla crítica que permite a código dentro del sandbox escapar y ejecutar comandos arbitrarios en el proceso host. Al no restringir adecuadamente los módulos process e inspector/promises, un atacante puede lograr la ejecución total de código en el servidor. Es imperativo actualizar a la versión 3.11.4 para mitigar este riesgo de severidad máxima.

Roles relevantes

JavascriptTypescriptBackendCyberSecurity

Severidad

Puntaje: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-693

EPSS

Probabilidad de explotación (próx. 30 días): 0.0013 (0.1%)
Percentil: 33.2%
EPSS: 2026-06-12

Descripción técnica

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.

Publicada: 12/6/2026, 15:16:28
Última modificación: 12/6/2026, 17:16:23

Referencias

InicioEventosBlogRecursosEquipo