CVE-2026-47131 Overview
CVE-2026-47131 is a sandbox escape vulnerability in vm2, an open source virtual machine and sandbox library for Node.js. Versions prior to 3.11.4 allow attackers to break out of the sandbox by chaining Buffer.call.call with __lookupGetter__ and __lookupSetter__ against __proto__, combined with Node.js's ERR_INVALID_ARG_TYPE error. This sequence exposes the host's TypeError constructor, granting access to the outer realm. Attackers can execute arbitrary code on the host process. The issue is classified under [CWE-913] (Improper Control of Dynamically-Managed Code Resources) and has been patched in vm2 version 3.11.4.
Critical Impact
Untrusted code executed inside vm2 can escape the sandbox and run arbitrary commands with the privileges of the host Node.js process.
Affected Products
- vm2 versions prior to 3.11.4
- Node.js applications using vm2 to execute untrusted code
- Server-side platforms that rely on vm2 for code isolation, plugins, or user-supplied scripts
Discovery Timeline
- 2026-06-12 - CVE-2026-47131 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-47131
Vulnerability Analysis
The vm2 library isolates untrusted JavaScript by proxying access between the sandbox and the host realm. Effective isolation requires that every reference reachable from inside the sandbox resolves only to proxied objects. CVE-2026-47131 breaks this invariant.
An attacker inside the sandbox invokes Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__") and the matching __lookupSetter__ variant. This indirect call pattern bypasses the proxy layer that normally mediates property access on Buffer. When the call path subsequently triggers a Node.js internal ERR_INVALID_ARG_TYPE error, the error constructor chain leaks a reference to the host realm's TypeError. Once an attacker holds a constructor from the host realm, they can walk back to Function and compile arbitrary code outside the sandbox.
Root Cause
The root cause is incomplete mediation of prototype lookup methods on host-provided objects such as Buffer. vm2 did not normalize indirect getter and setter invocations through Function.prototype.call.call, leaving a path for sandboxed code to reach host prototypes. The flaw aligns with [CWE-913], improper control of code execution within a sandboxed environment.
Attack Vector
Exploitation is network-reachable in any service that evaluates attacker-controlled JavaScript inside vm2. No authentication or user interaction is required. The malicious script runs the prototype-lookup chain, captures the host TypeError, derives the host Function constructor, and executes payloads such as require('child_process').exec(...) with the privileges of the Node.js process. See the GitHub Security Advisory GHSA-v6mx-mf47-r5wg and the patch commit for the technical fix details.
Detection Methods for CVE-2026-47131
Indicators of Compromise
- Sandbox-evaluated scripts containing the strings __lookupGetter__, __lookupSetter__, or Buffer.call.call in proximity to __proto__.
- Node.js processes hosting vm2 spawning unexpected child processes such as sh, bash, cmd.exe, or powershell.exe.
- Outbound network connections initiated by a Node.js process whose role is restricted to script evaluation.
Detection Strategies
- Inventory all Node.js applications and identify deployments of vm2 at versions earlier than 3.11.4 using software composition analysis.
- Inspect application logs for ERR_INVALID_ARG_TYPE errors originating from sandbox evaluation paths, which can indicate exploitation attempts.
- Hunt across endpoint telemetry for Node.js parent processes spawning shells or interpreters that are not part of the documented application behavior.
Monitoring Recommendations
- Alert on process-lineage anomalies where node is the parent of child_process shells or scripting hosts.
- Forward application and runtime logs to a centralized analytics platform and correlate sandbox error spikes with process-creation events.
- Track package-manager activity to detect installations of vulnerable vm2 versions during CI/CD builds.
How to Mitigate CVE-2026-47131
Immediate Actions Required
- Upgrade vm2 to version 3.11.4 or later in all production, staging, and development environments.
- Audit dependency trees with npm ls vm2 or yarn why vm2 to locate transitive uses of the library.
- Restrict the privileges of any service that evaluates untrusted JavaScript by running it under a dedicated low-privilege user and a constrained container.
Patch Information
The maintainers released the fix in vm2 v3.11.4. The corrective change is published in the GitHub commit 27c525f and described in the GitHub Security Advisory GHSA-v6mx-mf47-r5wg. Note that vm2 is no longer actively maintained; consider migrating to a supported isolation technology such as isolated-vm or running untrusted code in a separate process with OS-level sandboxing.
Workarounds
- Disable execution of untrusted scripts until the upgrade is deployed.
- Wrap vm2 evaluation inside an OS-level sandbox such as a seccomp-restricted container, gVisor, or a separate uid with no filesystem or network privileges.
- Apply an input filter that rejects scripts containing __lookupGetter__, __lookupSetter__, __proto__, or Buffer.call patterns as a short-term compensating control, recognizing that allow-listing the language surface is fragile.
# Configuration example
npm install vm2@3.11.4
npm ls vm2
npm audit --production
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
