How is CVE-2026-47140 exploited?

Network reachability (required): The vulnerable service must be reachable over the network; any attacker who can send code or input to the vm2 sandbox endpoint can trigger the bypass. Authentication (not-required): No credentials or account are needed; the exploit path is open to any party that can reach the sandbox interface. Victim interaction (not-required): No user action is required; the attacker submits malicious code directly to the sandbox and exploitation proceeds without any victim involvement. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, memory layout knowledge, or environmental prerequisites are required to escape the sandbox.

What is the impact of CVE-2026-47140?

Attacker executes arbitrary code inside the host Node.js process, inheriting all OS-level permissions that process holds. Attacker reads any data accessible to the host process, including environment variables, secrets, and files on the container filesystem. Attacker writes or deletes files, modifies application state, or injects malicious logic into the running process. Attacker can crash or destabilize the host process, taking down the service entirely.

Back to search

CRITICALCVE-2026-47140Published 2026-06-12Modified 2026-06-13CNA GitHub_M

CVE-2026-47140: vm2: NodeVM builtin denylist bypass via process and inspector/promises allows host code execution

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.

CVSS v3.1: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A sandbox escape vulnerability exists in vm2, a widely used Node.js sandboxing library. The NodeVM builtin denylist fails to block access to the process object and the inspector/promises module, both of which provide direct paths to host-side execution primitives. An unauthenticated attacker who can submit code to the sandbox can escape the sandbox entirely and execute arbitrary code in the host Node.js process. A patched-image rebuild at version 3.11.4 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-47140 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle vm2 as a transitive dependency.

Available

Triage

HarborGuard scores this issue at CVSS 10.0 Critical and surfaces it in triage queues with per-environment compliance policy weighting applied, routing alerts to the appropriate team inbox within each customer organization.

Available

Patch

Because no upstream fix was published at the time of CVE disclosure, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild at version 3.11.4 available the moment the upstream release is confirmed. For customers with auto-remediation enabled, the rebuild triggers automatically, a regression test run executes, and a PR is opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable service must be reachable over the network; any attacker who can send code or input to the vm2 sandbox endpoint can trigger the bypass.
AuthenticationNot required
No credentials or account are needed; the exploit path is open to any party that can reach the sandbox interface.
Victim interactionNot required
No user action is required; the attacker submits malicious code directly to the sandbox and exploitation proceeds without any victim involvement.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory layout knowledge, or environmental prerequisites are required to escape the sandbox.

Blast Radius

Attacker executes arbitrary code inside the host Node.js process, inheriting all OS-level permissions that process holds.
Attacker reads any data accessible to the host process, including environment variables, secrets, and files on the container filesystem.
Attacker writes or deletes files, modifies application state, or injects malicious logic into the running process.
Attacker can crash or destabilize the host process, taking down the service entirely.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47140 is active across customer registries and CI pipelines, matching any image layer that includes vm2 below version 3.11.4, including cases where vm2 arrives as a transitive dependency. Because this CVE carries a CVSS score of 10.0, it is surfaced at the top of Critical queues with compliance policy weighting applied immediately. For customers with auto-remediation enabled, a patched-image rebuild at vm2 version 3.11.4 becomes available as soon as the upstream release is confirmed; the rebuild is followed by an automated regression test run and a PR opened against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for environments with auto-remediation enabled. Where auto-remediation is not enabled, recommended compensating controls include isolating the service behind a network policy that restricts which callers can submit sandbox input, applying egress filtering to block outbound connections from the sandboxed process, and gating the sandbox execution feature behind a feature flag until the patched image is deployed.

See how HarborGuard automates this

Affected packages

patriksimek / vm2
< 3.11.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

Metrics

Get notified