Node.js vm2 Sandbox Vulnerability in Patriksimek's Open Source Library
CVE-2026-47139

8.6HIGH

Key Information:

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-47139?

The vm2 library, an open-source virtual machine/sandbox for Node.js, has a vulnerability that allows sandboxed code to access internal HTTP builtins even when public network modules are excluded. This can lead to unauthorized outbound HTTP requests and the opening of listening HTTP sockets. This issue was resolved in version 3.11.4, enhancing the security of the sandboxed environment.

Affected Version(s)

vm2 < 3.11.4

References

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.