Node.js Sandbox Vulnerability in vm2 Affecting Open Source Users
CVE-2026-47140

10CRITICAL

Key Information:

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-47140?

The vm2 library for Node.js, which acts as a sandboxing tool, had a vulnerability that allowed code within the sandbox to bypass security measures. Specifically, prior to version 3.11.4, essential Node.js builtins like process and inspector/promises were not included in the denylist, enabling malicious scripts to execute commands on the host environment. This oversight posed a substantial risk as it could be exploited to access host-side execution primitives. The issue was rectified in version 3.11.4, highlighting the importance of keeping software up to date.

Affected Version(s)

vm2 < 3.11.4

References

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.