Sandbox Escape Vulnerability in vm2 Open Source for Node.js
CVE-2026-47210

9.8CRITICAL

Key Information:

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-47210?

The vm2 package, an open-source sandbox for Node.js, is susceptible to a notable security concern. Prior to version 3.11.4, it permitted sandbox escape, enabling arbitrary code execution within the host environment when executing untrusted code with async capabilities amongst runtimes that expose WebAssembly JSPI. Specifically, this vulnerability facilitated a method for a JSPI-backed Promise to circumvent the intended Promise-species hardening, allowing an attacker to manipulate a host-originated rejection object with controlled species logic and thereby breaching the sandbox's protection. Users should upgrade to version 3.11.4 or later to mitigate this risk.

Affected Version(s)

vm2 < 3.11.4

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.