CVE Catalog

CVE-2026-47140

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

33th percentile — higher than 33% of all known CVEs

Summary

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins, but the denylist misses process and inspector/promises, allowing sandboxed code to bypass restrictions.

Risk Assessment

Organizations may be exposed to unauthorized code execution in the host process, potentially leading to serious security breaches.

Recommendation

It is recommended to upgrade to version 3.11.4 or later to mitigate these vulnerabilities.

Original NVD description (English source)

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS