vm2: NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
CVE-2026-47140

10CRITICAL

Key Information:

Vendor

Patriksimek

Status
Vm2
Vendor
CVE Published:
12 June 2026

What is CVE-2026-47140?

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.

Affected Version(s)

vm2 < 3.11.4

References

https://github.com/patriksimek/vm2/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36...
x_refsource_MISC
https://github.com/patriksimek/vm2/releases/tag/v3.11.4
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.