Node.js Sandbox Escape Vulnerability in vm2 by Patrik Simek
CVE-2026-47131

10CRITICAL

Key Information:

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-47131?

The vm2 library, which provides a secure sandbox for executing untrusted JavaScript code in Node.js, has a vulnerability that allows attackers to escape this sandbox. This flaw arises from improper handling of prototype properties, enabling the retrieval of the host's TypeError constructor. By leveraging this vulnerability, an attacker could execute arbitrary code outside the secured environment. It is crucial for users of vm2 prior to version 3.11.4 to update their installations to mitigate potential security risks.

Affected Version(s)

vm2 < 3.11.4

References

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.