Threat Advisory

vm2 Vulnerability Exposes Critical Node.js RCE Pathways

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the vm2 library, affecting versions up to and including 3.11.3. The identified vulnerabilities are related to Remote Code Execution (RCE) and compromise the core security promise of the vm2 library. These flaws can be exploited by unauthenticated code running inside the sandbox to achieve RCE on the host server process, posing an extreme risk to legacy versions active in production. Business risk and impact are severe, as untrusted scripts can interact directly with host-side execution primitives, compromising server secrets, local files, and system processes.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the vm2 library, affecting versions up to and including 3.11.3. The identified vulnerabilities are related to Remote Code Execution (RCE) and compromise the core security promise of the vm2 library. These flaws can be exploited by unauthenticated code running inside the sandbox to achieve RCE on the host server process, posing an extreme risk to legacy versions active in production. Business risk and impact are severe, as untrusted scripts can interact directly with host-side execution primitives, compromising server secrets, local files, and system processes.[emaillocker id="1283"]

  • CVE-2026-47140 with a CVSS score of 10.0 – This flaw targets the NodeVM implementation layer and allows a sandboxed script to interact directly with host-side execution primitives, fully compromising server secrets, local files, and system processes by bypassing the denylist for process and inspector/promises.
  • CVE-2026-47210 with a CVSS score of 9.8 – This vulnerability compromises environments running asynchronous code support on modern runtimes that expose WebAssembly JavaScript Promise Integration (JSPI) features, allowing a JSPI-backed Promise to reach the global Promise.prototype.finally() function in a way that completely evades vm2’s internal security hardening.
  • CVE-2026-47131 with a CVSS score of 10.0 – This flaw represents a textbook example of a security patch failure and allows an attacker to bypass a prior update by simply omitting the require option from their initialization payload, spawning the exact dangerous environment the patch intended to stop.

The identified vulnerabilities pose a significant risk to business operations, as they can be exploited by unauthenticated code running inside the sandbox to achieve RCE on the host server process. If left unpatched, these vulnerabilities can result in a complete compromise of server secrets, local files, and system processes.

RECOMMENDATION:

  • We recommend you to update vm2 to version 3.11.4 or higher.

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/vm2-sandbox-escape-vulnerabilities-cve-2026-47140-node-rce/

[/emaillocker]
crossmenu