Node.js vm2 Sandbox Vulnerability in Patriksimek's Open Source Library
CVE-2026-47139
8.6HIGH
What is CVE-2026-47139?
The vm2 library, an open-source virtual machine/sandbox for Node.js, has a vulnerability that allows sandboxed code to access internal HTTP builtins even when public network modules are excluded. This can lead to unauthorized outbound HTTP requests and the opening of listening HTTP sockets. This issue was resolved in version 3.11.4, enhancing the security of the sandboxed environment.
Affected Version(s)
vm2 < 3.11.4
