CVE-2026-47140

Published: Jun 12, 2026Modified: Jun 12, 2026Deferred

10.0

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 6.0

Source: security-advisories@github.com (Secondary)

Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.

Related CWEs

CWE-693

Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

References (4)

https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b

Source: security-advisories@github.com

https://github.com/patriksimek/vm2/releases/tag/v3.11.4

Source: security-advisories@github.com

https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4

Source: security-advisories@github.com

https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.