Node.js Sandbox Escape Vulnerability in vm2 by Patrik Simek
CVE-2026-47131
10CRITICAL
What is CVE-2026-47131?
The vm2 library, which provides a secure sandbox for executing untrusted JavaScript code in Node.js, has a vulnerability that allows attackers to escape this sandbox. This flaw arises from improper handling of prototype properties, enabling the retrieval of the host's TypeError constructor. By leveraging this vulnerability, an attacker could execute arbitrary code outside the secured environment. It is crucial for users of vm2 prior to version 3.11.4 to update their installations to mitigate potential security risks.
Affected Version(s)
vm2 < 3.11.4
