How is CVE-2026-47208 exploited?

Network reachability (required): The vulnerable component is exposed over the network; an attacker can reach it from any internet-adjacent position without requiring LAN or physical access. Authentication (not-required): No credentials or account of any privilege level are needed to trigger the vulnerability. Victim interaction (not-required): The attack is fully automated and does not require any action from a user or operator on the target system. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, memory-layout dependencies, or environmental factors must be satisfied.

What is the impact of CVE-2026-47208?

Attacker executes arbitrary operating system commands on the host running the vm2 sandbox, achieving full remote code execution outside the sandbox boundary. All data readable by the host process is exposed, including environment variables, secrets mounted into the container, and files on the container filesystem. An attacker can write or overwrite files and modify application state on the host, tampering with any resource the process has write access to. The attacker can terminate the host process or exhaust system resources, causing a complete denial of service for any workload sharing that host.

Back to search

CRITICALCVE-2026-47208Published 2026-06-12Modified 2026-06-13CNA GitHub_M

CVE-2026-47208: vm2: Sandbox Breakout Using Promise Species

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.4.

CVSS v3.1: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a sandbox escape vulnerability in vm2, a widely used Node.js sandboxing library. The flaw is reachable over the network, requires no authentication, and no victim interaction, based on a CVSS 10.0 vector with network attack surface and no prerequisites. Successful exploitation lets an attacker break out of the vm2 sandbox entirely and execute arbitrary commands directly on the host system. HarborGuard tracks the upstream advisory and will make a patched-image rebuild available as soon as a fix version is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built Node.js images that bundle vm2 as a dependency. Any image containing a vm2 version below 3.11.4 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 10.0 Critical and weights that score against each customer organization's compliance policy to determine urgency and routing. The resulting alert is delivered to the appropriate team inbox within the customer org based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, compensating controls are surfaced through the triage workflow for each affected environment.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable component is exposed over the network; an attacker can reach it from any internet-adjacent position without requiring LAN or physical access.
AuthenticationNot required
No credentials or account of any privilege level are needed to trigger the vulnerability.
Victim interactionNot required
The attack is fully automated and does not require any action from a user or operator on the target system.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory-layout dependencies, or environmental factors must be satisfied.

Blast Radius

Attacker executes arbitrary operating system commands on the host running the vm2 sandbox, achieving full remote code execution outside the sandbox boundary.
All data readable by the host process is exposed, including environment variables, secrets mounted into the container, and files on the container filesystem.
An attacker can write or overwrite files and modify application state on the host, tampering with any resource the process has write access to.
The attacker can terminate the host process or exhaust system resources, causing a complete denial of service for any workload sharing that host.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored on every ingest cycle for fix availability. Because no upstream patch exists yet, the platform surfaces it as a Critical finding in each affected customer environment and applies compliance-policy weighting to escalate routing appropriately. While waiting for a fix, HarborGuard recommends applying compensating controls where feasible: restrict network ingress to services that invoke vm2 using Kubernetes NetworkPolicy or equivalent, avoid passing untrusted code strings into vm2 instances, and consider feature-flag gating or temporary disablement of any user-supplied code execution paths. The moment an upstream fix is published, a patched-image rebuild at the fix version will become available automatically. For customers with auto-remediation enabled, HarborGuard will trigger a rebuild, run a regression test suite against the updated image, and open a PR against affected workloads; median time from CVE patch publication to merged PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled.

See how HarborGuard automates this

Affected packages

patriksimek / vm2
< 3.11.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

Metrics

Get notified