CVE-2026-47140
CRITICALvm2: NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
Title source: cnaDescription
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.
References (3)
Core 3
Core References
X_Refsource_Misc x_refsource_misc
https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b
X_Refsource_Misc x_refsource_misc
https://github.com/patriksimek/vm2/releases/tag/v3.11.4
X_Refsource_Confirm x_refsource_confirm
https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4
Scores
CVSS v3
10.0
EPSS
0.0088
EPSS Percentile
54.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-693
Status
published
Products (2)
npm/vm2
0 - 3.11.4npm
patriksimek/vm2
< 3.11.4
Published
Jun 12, 2026
Tracked Since
Jun 12, 2026