CVE Catalog

CVE-2026-47210

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.11%

29th percentile — higher than 29% of all known CVEs

Summary

In vm2, prior to version 3.11.4, a sandbox escape vulnerability allowed arbitrary code execution in the host process when untrusted code was executed with async support. This issue has been patched in version 3.11.4.

Risk Assessment

Organizations may be exposed to arbitrary code execution, potentially leading to serious security breaches and data loss.

Recommendation

It is recommended to upgrade to version 3.11.4 or later to mitigate this vulnerability.

Original NVD description (English source)

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, a sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI (WebAssembly.promising / WebAssembly.Suspending). In the tested configuration, a JSPI-backed Promise can reach Promise.prototype.finally() in a way that bypasses the expected Promise-species hardening and exposes a host-originated rejection object to attacker-controlled species logic, breaking the sandbox boundary. This issue has been patched in version 3.11.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS