Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-47140

CVE-2026-47140: vm2 Sandbox RCE Vulnerability

CVE-2026-47140 is a remote code execution vulnerability in vm2, a Node.js sandbox. Attackers can bypass builtin restrictions to execute code in the host process. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-47140 Overview

CVE-2026-47140 is a sandbox escape vulnerability in vm2, an open source virtual machine and sandbox library for Node.js. The NodeVM component maintains a denylist of dangerous Node.js builtins to prevent sandboxed code from reaching host execution primitives. The denylist omits the process and inspector/promises modules. Sandboxed JavaScript can request either builtin and pivot to host-side code execution, breaking the security boundary the sandbox is meant to enforce. The flaw is classified as [CWE-693] Protection Mechanism Failure and affects all releases prior to vm2 version 3.11.4.

Critical Impact

Untrusted code running inside a vm2 NodeVM sandbox can break out and execute arbitrary code in the host Node.js process, resulting in full compromise of the application.

Affected Products

  • vm2 versions prior to 3.11.4
  • Node.js applications embedding vm2NodeVM for untrusted code evaluation
  • Downstream packages and services that rely on vm2 as a sandboxing layer

Discovery Timeline

  • 2026-06-12 - CVE-2026-47140 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-47140

Vulnerability Analysis

The vm2 library exposes a NodeVM API that lets host applications run untrusted JavaScript with restricted access to Node.js builtins. The implementation enforces this restriction using a denylist that blocks modules such as module, worker_threads, cluster, vm, repl, and inspector. The denylist is incomplete. It does not include the process global module accessor path nor the inspector/promises submodule. Sandboxed code can require these names and obtain references that reach host execution primitives outside the sandbox.

Once sandboxed code obtains a process handle, it can interact with the host event loop, native bindings, and child process APIs. The inspector/promises interface exposes the V8 Inspector protocol, which permits arbitrary script evaluation in the host context. Either path converts a contained guest into full host-side code execution.

Root Cause

The root cause is an incomplete denylist in the NodeVM builtin resolver. The protection mechanism enumerates known dangerous modules rather than enforcing an allowlist of safe modules. New or alternate module specifiers, including process and the promise variant inspector/promises, are not matched by the denylist and pass through to the host module loader.

Attack Vector

An attacker supplies JavaScript that executes inside a vm2NodeVM instance. The payload requires one of the unfiltered builtins and uses the returned object to reach host execution. The attack requires no authentication and no user interaction because the entry point is whatever interface the host application uses to accept untrusted code, such as an HTTP endpoint, a job queue, or a plugin loader.

Refer to the GitHub Security Advisory GHSA-rp36-8xq3-r6c4 for advisory details and to the vm2 patch commit for the exact code change that closes the gap.

Detection Methods for CVE-2026-47140

Indicators of Compromise

  • Sandboxed scripts that call require('process') or require('inspector/promises') from within a NodeVM context.
  • Unexpected child processes spawned by the Node.js host that embeds vm2, particularly shells or interpreters.
  • Outbound network connections initiated from the host Node.js process after evaluating untrusted input.
  • New listeners on the V8 Inspector port or unexpected inspector.Session activity in production workloads.

Detection Strategies

  • Inventory all Node.js services and verify the installed vm2 version is 3.11.4 or later using npm ls vm2.
  • Add static analysis rules to flag user-supplied scripts that reference process, inspector, or inspector/promises before they are passed to vm2.
  • Log every require call resolved inside the NodeVM host hook and alert on entries that match the unpatched bypass modules.

Monitoring Recommendations

  • Monitor process trees for child processes spawned by Node.js workers that should only run sandboxed logic.
  • Alert on the activation of the V8 Inspector protocol in production runtimes that do not normally enable debugging.
  • Capture and review egress traffic from application hosts that execute third-party or customer-supplied code.

How to Mitigate CVE-2026-47140

Immediate Actions Required

  • Upgrade vm2 to version 3.11.4 or later across every service, container image, and build artifact.
  • Audit all entry points that accept user-supplied JavaScript and confirm they route through the patched sandbox.
  • Rotate credentials, tokens, and keys that were accessible to any host process running an unpatched vm2 instance.
  • Treat vm2 as deprecated for new designs and plan migration to an isolate-based runtime such as a separate process or isolated-vm.

Patch Information

The maintainers fixed the issue in vm2 release v3.11.4 by extending the builtin denylist to cover process and inspector/promises. Review the upstream commit to confirm the change is present in vendored or forked copies.

Workarounds

  • If immediate upgrade is not possible, wrap the NodeVMrequire hook to reject process and inspector/promises explicitly.
  • Run vm2 host processes under a low-privilege user with no network egress and a read-only filesystem to limit blast radius.
  • Move untrusted code execution to a dedicated worker process that can be terminated and recycled on each request.
bash
# Upgrade vm2 to the patched release
npm install vm2@3.11.4 --save
npm ls vm2

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne