How is CVE-2026-47131 exploited?

Network reachability (required): The vulnerability is reachable over the network (AV:N); an attacker must be able to send requests to a service that exposes vm2 sandbox execution. Authentication (not-required): No credentials or prior account are needed (PR:N); an unauthenticated request is sufficient to trigger the exploit. Victim interaction (not-required): No user action is required (UI:N); the attacker does not need to trick anyone into clicking a link or opening a file. Attack complexity (info): Attack complexity is Low (AC:L); the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond access to the service.

What is the impact of CVE-2026-47131?

A successful attacker escapes the vm2 sandbox and executes arbitrary code in the host Node.js process. The host process's full file system and environment variables become readable, exposing secrets, credentials, and application data. The attacker can write or delete files and modify application state on the host, including persisted data and configuration. The host process and any co-located services can be crashed or hijacked, causing a full service outage.

Back to search

CRITICALCVE-2026-47131Published 2026-06-12Modified 2026-06-13CNA GitHub_M

CVE-2026-47131: vm2: Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__"), Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__"), and Node.js's ERR_INVALID_ARG_TYPE Error, the host's TypeError constructor can be obtained, which allows the escape from the sandbox. This allows attackers to run arbitrary code. This issue has been patched in version 3.11.4.

CVSS v3.1: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A sandbox escape vulnerability exists in vm2, a Node.js sandboxing library. The flaw is reachable over the network with no authentication required and no victim interaction needed, as described by the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C). By chaining specific JavaScript prototype manipulation calls with a Node.js error constructor leak, an attacker escapes the vm2 sandbox and executes arbitrary code in the host process. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix ships.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-47131 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built Node.js images that bundle vm2 as a dependency.

Available

Triage

HarborGuard surfaces this finding with its CVSS 3.1 score of 10.0 (Critical) and applies per-environment compliance policy weighting to prioritize routing; findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published for vm2, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a fix. In the interim, compensating-control recommendations (network-policy isolation, egress filtering, and feature-flag gating of vm2 usage) are surfaced in the finding detail for customers to act on.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerability is reachable over the network (AV:N); an attacker must be able to send requests to a service that exposes vm2 sandbox execution.
AuthenticationNot required
No credentials or prior account are needed (PR:N); an unauthenticated request is sufficient to trigger the exploit.
Victim interactionNot required
No user action is required (UI:N); the attacker does not need to trick anyone into clicking a link or opening a file.
Attack complexityDetail
Attack complexity is Low (AC:L); the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond access to the service.

Blast Radius

A successful attacker escapes the vm2 sandbox and executes arbitrary code in the host Node.js process.
The host process's full file system and environment variables become readable, exposing secrets, credentials, and application data.
The attacker can write or delete files and modify application state on the host, including persisted data and configuration.
The host process and any co-located services can be crashed or hijacked, causing a full service outage.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch for vm2 exists at this time, HarborGuard continuously re-evaluates the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment patriksimek publishes a fix. For customers who opt into auto-remediation, that rebuild will trigger a regression-test run and open a PR against affected workloads with no manual steps required. While waiting for an upstream fix, the finding detail surfaces compensating controls: isolate pods running vm2 with restrictive Kubernetes NetworkPolicy rules to limit inbound reach, apply egress filtering to prevent exfiltration from a compromised host process, and gate any feature that invokes vm2 behind a feature flag so it can be disabled immediately if active exploitation is confirmed. For environments where compliance policy requires immediate action, flagging workloads that bundle vm2 for accelerated review is also available through HarborGuard's policy-routing configuration.

See how HarborGuard automates this

Affected packages

patriksimek / vm2
< 3.11.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

Metrics

Get notified