Sandbox Vulnerability in vm2 for Node.js Exposes Process-Wide Observability
CVE-2026-47141

6.9MEDIUM

Key Information:

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-47141?

The vm2 is an open-source virtual machine and sandboxing library for Node.js that prior to version 3.11.4, allowed for certain process-wide observability builtins through the require.builtin. Specifically, modules like diagnostics_channel, async_hooks, and perf_hooks remained unblocked by the dangerous builtin denylist. This vulnerability permitted malicious sandboxed code to access and observe data from the host application beyond the intended sandbox boundary, potentially leading to unauthorized data exposure. The issue has since been addressed and patched in version 3.11.4.

Affected Version(s)

vm2 < 3.11.4

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.