CVE-2026-47140 | vm2 is an open source vm/sandbox for Node.js. Prior to versi… | CVSS 10.0 CRITICAL

Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.

Metadata

CVE ID: CVE-2026-47140
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-18 19:50 UTC
Published: 2026-06-12 14:16 UTC
Last updated: 2026-06-13 03:55 UTC
Primary CWE: CWE-693
CWE-693: Protection Mechanism Failure
Vendor / Product: patriksimek / vm2
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
patriksimek	vm2	—	< 3.11.4

Weakness (CWE)

CWE	Source	Description
CWE-693	cna	CWE-693: Protection Mechanism Failure

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (3)

https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4 https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4
https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b
https://github.com/patriksimek/vm2/releases/tag/v3.11.4 https://github.com/patriksimek/vm2/releases/tag/v3.11.4