CVE-2026-47131 | vm2 is an open source vm/sandbox for Node.js. Prior to versi… | CVSS 10.0 CRITICAL

Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__"), Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__"), and Node.js's ERR_INVALID_ARG_TYPE Error, the host's TypeError constructor can be obtained, which allows the escape from the sandbox. This allows attackers to run arbitrary code. This issue has been patched in version 3.11.4.

Metadata

CVE ID: CVE-2026-47131
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-18 19:50 UTC
Published: 2026-06-12 14:14 UTC
Last updated: 2026-06-13 03:55 UTC
Primary CWE: CWE-913
CWE-913: Improper Control of Dynamically-Managed Code Resour…
Vendor / Product: patriksimek / vm2
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
patriksimek	vm2	—	< 3.11.4

Weakness (CWE)

CWE	Source	Description
CWE-913	cna	CWE-913: Improper Control of Dynamically-Managed Code Resources

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (3)

https://github.com/patriksimek/vm2/security/advisories/GHSA-v6mx-mf47-r5wg https://github.com/patriksimek/vm2/security/advisories/GHSA-v6mx-mf47-r5wg
https://github.com/patriksimek/vm2/commit/27c525f4615e2b983f122e2bed327d810126f5c8 https://github.com/patriksimek/vm2/commit/27c525f4615e2b983f122e2bed327d810126f5c8
https://github.com/patriksimek/vm2/releases/tag/v3.11.4 https://github.com/patriksimek/vm2/releases/tag/v3.11.4