Sandbox Vulnerability in vm2 for Node.js Exposes Process-Wide Observability
CVE-2026-47141
6.9MEDIUM
What is CVE-2026-47141?
The vm2 is an open-source virtual machine and sandboxing library for Node.js that prior to version 3.11.4, allowed for certain process-wide observability builtins through the require.builtin. Specifically, modules like diagnostics_channel, async_hooks, and perf_hooks remained unblocked by the dangerous builtin denylist. This vulnerability permitted malicious sandboxed code to access and observe data from the host application beyond the intended sandbox boundary, potentially leading to unauthorized data exposure. The issue has since been addressed and patched in version 3.11.4.
Affected Version(s)
vm2 < 3.11.4
