cbcvebase.
CVE-2026-47131
published 2026-06-12

CVE-2026-47131: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__")…

PriorityP259critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.40%
31.9th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__"), Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__"), and Node.js's ERR_INVALID_ARG_TYPE Error, the host's TypeError constructor can be obtained, which allows the escape from the sandbox. This allows attackers to run arbitrary code. This issue has been patched in version 3.11.4.

Affected

4 ranges
VendorProductVersion rangeFixed in
ansible-automation-platformautomation-portal
patriksimekvm2< 3.11.43.11.4
rhdhrhdh-hub-rhel9
vm2_projectvm2>= 0 < 3.11.43.11.4

Detection & IOCsextracted from sources · hover to see the quote

commandBuffer.call.call({}.__lookupGetter__, Buffer, "__proto__")
commandBuffer.call.call({}.__lookupSetter__, Buffer, "__proto__")
  • Monitor vm2 sandbox environments for JavaScript expressions combining __lookupGetter__ or __lookupSetter__ on Buffer with __proto__ access, which is the exploit primitive used to leak the host TypeError constructor and escape the sandbox.
  • Detect vm2 versions prior to 3.11.4 in Node.js dependency trees (package.json / package-lock.json); any deployment below this version is vulnerable to sandbox escape leading to arbitrary code execution.
  • In Red Hat Developer Hub (rhdh/rhdh-hub-rhel9) and Ansible Automation Platform, flag any code path that routes user-supplied JavaScript into the vm2 sandbox runtime, as this is the precondition for exploitation.
  • ·Red Hat Developer Hub and Ansible Automation Platform carry vm2 only as a transitive dependency; the vulnerable sandbox functionality is not invoked in any production code path under default configuration, reducing exploitability in those products.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.