CRITICAL🇵🇱 Wersja polska

CVE-2026-47140

CVSS 10.0v3.1pub. 2026-06-12

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.

🤖 AI Analysis
How it works

NodeVM blocks a range of dangerous built-in Node.js modules (including module, worker_threads, cluster, vm, repl, inspector), however the blocklist omits the process and inspector/promises modules. An attacker can use these omitted modules inside the sandbox to gain access to code execution primitives on the host side. As a result, the isolation provided by the sandbox is completely broken without any special privileges on the attacker's side.

Impact

An attacker can execute arbitrary code in the host process (RCE), completely bypassing sandbox isolation mechanisms, leading to full system takeover, data exposure, and data modification.

Mitigation & patch

Update the vm2 library to version 3.11.4, which contains a patch eliminating the gap in the blocked modules list. Details are available in the official security advisory and v3.11.4 release on GitHub.

Who is affected

The vm2 library in versions before 3.11.4 (Node.js environment).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References