CVE-2026-47131
CriticalCVSS 10.0Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining certain calls, it was possible to obtain the host's TypeError constructor, allowing escape from the sandbox and execution of arbitrary code.
Risk Assessment
Attackers could exploit this vulnerability to execute malicious code on the system, posing a serious threat to application and data security.
Recommendation
It is recommended to upgrade to version 3.11.4 or later to mitigate this vulnerability.
Original NVD description (English source)
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__"), Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__"), and Node.js's ERR_INVALID_ARG_TYPE Error, the host's TypeError constructor can be obtained, which allows the escape from the sandbox. This allows attackers to run arbitrary code. This issue has been patched in version 3.11.4.

