How is CVE-2026-47139 exploited?

Network reachability (required): The attacker must be able to supply or influence code executed inside the vm2 sandbox, which is typically reached over the network in services that accept and run untrusted user-supplied scripts. Authentication (not-required): No credentials are needed; the CVSS vector specifies PR:N, meaning any caller who can submit code to the sandbox can trigger the bypass. Victim interaction (not-required): No human interaction is required; the attacker submits malicious code directly to the sandbox execution path without any victim needing to take an action. Attack complexity (info): Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond access to the sandbox input.

What is the impact of CVE-2026-47139?

Sandboxed code makes outbound HTTP requests to arbitrary external hosts, exfiltrating data or reaching internal network services that the sandbox was meant to be isolated from. Sandboxed code opens a listening HTTP socket on the host process, potentially exposing an unintended endpoint to other network-reachable parties. The CVSS confidentiality impact is High with a Changed scope (S:C), meaning the bypass extends beyond the sandbox boundary and allows reading of data accessible to the host Node.js process. Integrity and availability of the host are not directly impacted per the CVSS vector, but the network exfiltration path can be used to leak secrets, tokens, or internal service responses.

Back to search

HIGHCVE-2026-47139Published 2026-06-12Modified 2026-06-12CNA GitHub_M

CVE-2026-47139: vm2: NodeVM network builtin exclusions bypass via internal _http_client and _http_server

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM supports excluding public network builtins from the wildcard builtin option. With this configuration direct access to http, https, http2, net, dgram, tls, dns, and dns/promises is blocked. However, Node.js also exposes underscored internal HTTP builtins such as _http_client and _http_server. These are not blocked when the public modules are excluded. Sandboxed code can use these internal builtins to make outbound HTTP requests and open listening HTTP sockets even though the public network modules are denied. This issue has been patched in version 3.11.4.

CVSS v3.1: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a sandbox escape (network isolation bypass) in vm2, a Node.js sandboxing library. Untrusted code running inside a vm2 NodeVM sandbox can reach underscore-prefixed internal Node.js HTTP builtins (_http_client, _http_server) that are not blocked when the public network modules (http, https, net, etc.) are explicitly excluded. Successful exploitation allows sandboxed code to make outbound HTTP requests and open listening sockets on the host, bypassing the intended network isolation entirely. No fix version has been published upstream yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images containing an affected version of vm2, including custom-built images that bundle the library directly. Any image with patriksimek/vm2 below 3.11.4 will surface in scan results automatically.

Available

Triage

HarborGuard scores this finding at CVSS 8.6 HIGH and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within the customer org based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically once a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to supply or influence code executed inside the vm2 sandbox, which is typically reached over the network in services that accept and run untrusted user-supplied scripts.
AuthenticationNot required
No credentials are needed; the CVSS vector specifies PR:N, meaning any caller who can submit code to the sandbox can trigger the bypass.
Victim interactionNot required
No human interaction is required; the attacker submits malicious code directly to the sandbox execution path without any victim needing to take an action.
Attack complexityDetail
Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond access to the sandbox input.

Blast Radius

Sandboxed code makes outbound HTTP requests to arbitrary external hosts, exfiltrating data or reaching internal network services that the sandbox was meant to be isolated from.
Sandboxed code opens a listening HTTP socket on the host process, potentially exposing an unintended endpoint to other network-reachable parties.
The CVSS confidentiality impact is High with a Changed scope (S:C), meaning the bypass extends beyond the sandbox boundary and allows reading of data accessible to the host Node.js process.
Integrity and availability of the host are not directly impacted per the CVSS vector, but the network exfiltration path can be used to leak secrets, tokens, or internal service responses.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-47139 has been published, HarborGuard monitors the vm2 advisory each ingest cycle and will surface a patched-image rebuild the moment patriksimek/vm2 3.11.4 or a later release is confirmed upstream. In the interim, compensating controls are worth considering: network-policy rules that block egress from pods running vm2-based services limit the usefulness of the bypass even if the sandbox is compromised; feature-flag gating that disables user-submitted code execution paths until a fix is available removes the attack surface entirely. For customers with auto-remediation enabled, the full rebuild-plus-PR flow will fire automatically once an upstream fix version is registered, with no manual intervention required.

See how HarborGuard automates this

Affected packages

patriksimek / vm2
< 3.11.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

References

Metrics

Get notified