CRITICAL🇵🇱 Wersja polska

CVE-2026-47208

CVSS 10.0v3.1pub. 2026-06-12

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.4.

🤖 AI Analysis
How it works

The vulnerability results from improper control of dynamically managed resources (CWE-913) in the vm2 isolation mechanism. An attacker can craft JavaScript code that bypasses the library's sandboxing mechanisms and escapes the controlled virtual machine environment. After escaping the sandbox, the code gains full access to the host's Node.js environment and can execute arbitrary system commands.

Impact

Attacker gains the ability to execute arbitrary code on the host system (RCE), which can lead to complete server takeover, data leaks, file modifications, and further lateral movement within the infrastructure.

Mitigation & patch

The vm2 library should be updated to version 3.11.4 or newer, in which the vulnerability has been patched. Patch details are available in the vm2 project GitHub repository (commit a462655009669c3124ee39498121651597529ea8).

Who is affected

vm2 library for Node.js in versions prior to 3.11.4

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References