Node.js Sandbox Vulnerability in vm2 Affecting Open Source Users
CVE-2026-47140
10CRITICAL
What is CVE-2026-47140?
The vm2 library for Node.js, which acts as a sandboxing tool, had a vulnerability that allowed code within the sandbox to bypass security measures. Specifically, prior to version 3.11.4, essential Node.js builtins like process and inspector/promises were not included in the denylist, enabling malicious scripts to execute commands on the host environment. This oversight posed a substantial risk as it could be exploited to access host-side execution primitives. The issue was rectified in version 3.11.4, highlighting the importance of keeping software up to date.
Affected Version(s)
vm2 < 3.11.4
