CVE-2026-47210
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk29th percentile — higher than 29% of all known CVEs
Summary
In vm2, prior to version 3.11.4, a sandbox escape vulnerability allowed arbitrary code execution in the host process when untrusted code was executed with async support. This issue has been patched in version 3.11.4.
Risk Assessment
Organizations may be exposed to arbitrary code execution, potentially leading to serious security breaches and data loss.
Recommendation
It is recommended to upgrade to version 3.11.4 or later to mitigate this vulnerability.
Original NVD description (English source)
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, a sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI (WebAssembly.promising / WebAssembly.Suspending). In the tested configuration, a JSPI-backed Promise can reach Promise.prototype.finally() in a way that bypasses the expected Promise-species hardening and exposes a host-originated rejection object to attacker-controlled species logic, breaking the sandbox boundary. This issue has been patched in version 3.11.4.

