CVE Catalog

CVE-2026-47131

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

13th percentile — higher than 13% of all known CVEs

Summary

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining certain calls, it was possible to obtain the host's TypeError constructor, allowing escape from the sandbox and execution of arbitrary code.

Risk Assessment

Attackers could exploit this vulnerability to execute malicious code on the system, posing a serious threat to application and data security.

Recommendation

It is recommended to upgrade to version 3.11.4 or later to mitigate this vulnerability.

Original NVD description (English source)

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__"), Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__"), and Node.js's ERR_INVALID_ARG_TYPE Error, the host's TypeError constructor can be obtained, which allows the escape from the sandbox. This allows attackers to run arbitrary code. This issue has been patched in version 3.11.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS