Sandbox Escape Vulnerability in vm2 Open Source for Node.js
CVE-2026-47210
9.8CRITICAL
What is CVE-2026-47210?
The vm2 package, an open-source sandbox for Node.js, is susceptible to a notable security concern. Prior to version 3.11.4, it permitted sandbox escape, enabling arbitrary code execution within the host environment when executing untrusted code with async capabilities amongst runtimes that expose WebAssembly JSPI. Specifically, this vulnerability facilitated a method for a JSPI-backed Promise to circumvent the intended Promise-species hardening, allowing an attacker to manipulate a host-originated rejection object with controlled species logic and thereby breaching the sandbox's protection. Users should upgrade to version 3.11.4 or later to mitigate this risk.
Affected Version(s)
vm2 < 3.11.4
