CVE-2026-47140
CriticalCVSS 10.0Exploitation Probability (EPSS)
Low risk33th percentile — higher than 33% of all known CVEs
Summary
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins, but the denylist misses process and inspector/promises, allowing sandboxed code to bypass restrictions.
Risk Assessment
Organizations may be exposed to unauthorized code execution in the host process, potentially leading to serious security breaches.
Recommendation
It is recommended to upgrade to version 3.11.4 or later to mitigate these vulnerabilities.
Original NVD description (English source)
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.

