CVE-2026-47140 | THREATINT

Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.

PUBLISHED Reserved 2026-05-18 | Published 2026-06-12 | Updated 2026-06-12 | Assigner GitHub_M

CRITICAL: 10.0CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-693: Protection Mechanism Failure

Product status

< 3.11.4

affected

References

github.com/...ek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4 exploit

github.com/...ek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4

github.com/...ommit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b

github.com/patriksimek/vm2/releases/tag/v3.11.4

cve.org (CVE-2026-47140)

nvd.nist.gov (CVE-2026-47140)

Download JSON