CVE-2026-47131
published 2026-06-12CVE-2026-47131: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__")…
PriorityP259critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.40%
31.9th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__"), Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__"), and Node.js's ERR_INVALID_ARG_TYPE Error, the host's TypeError constructor can be obtained, which allows the escape from the sandbox. This allows attackers to run arbitrary code. This issue has been patched in version 3.11.4.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform | automation-portal | — | — |
| patriksimek | vm2 | < 3.11.4 | 3.11.4 |
| rhdh | rhdh-hub-rhel9 | — | — |
| vm2_project | vm2 | >= 0 < 3.11.4 | 3.11.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor vm2 sandbox environments for JavaScript expressions combining __lookupGetter__ or __lookupSetter__ on Buffer with __proto__ access, which is the exploit primitive used to leak the host TypeError constructor and escape the sandbox. ↗
- →Detect vm2 versions prior to 3.11.4 in Node.js dependency trees (package.json / package-lock.json); any deployment below this version is vulnerable to sandbox escape leading to arbitrary code execution. ↗
- →In Red Hat Developer Hub (rhdh/rhdh-hub-rhel9) and Ansible Automation Platform, flag any code path that routes user-supplied JavaScript into the vm2 sandbox runtime, as this is the precondition for exploitation. ↗
- ·Red Hat Developer Hub and Ansible Automation Platform carry vm2 only as a transitive dependency; the vulnerable sandbox functionality is not invoked in any production code path under default configuration, reducing exploitability in those products. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
vm2: vm2: Arbitrary code execution via sandbox escape vulnerability
vendor_redhat·2026-06-12·CVSS 10.0
CVE-2026-47131 [CRITICAL] CWE-843 vm2: vm2: Arbitrary code execution via sandbox escape vulnerability
vm2: vm2: Arbitrary code execution via sandbox escape vulnerability
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__"), Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__"), and Node.js's ERR_INVALID_ARG_TYPE Error, the host's TypeError constructor can be obtained, which allows the escape from the sandbox. This allows attackers to run arbitrary code. This issue has been patched in version 3.11.4.
A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. A remote attacker can exploit this vulnerability by combining specific Buffer function calls and Node.js's ERR_INVALID_ARG_TYPE error. This allows the attacker to obtain the host's TypeError constructor, leading to an
VulDB
patriksimek vm2 up to 3.11.3 dynamically-managed code resources (EUVD-2026-36441)
vuldb·2026-06-14·CVSS 10.0
CVE-2026-47131 [CRITICAL] patriksimek vm2 up to 3.11.3 dynamically-managed code resources (EUVD-2026-36441)
A vulnerability, which was classified as critical, was found in patriksimek vm2 up to 3.11.3. The affected element is an unknown function. The manipulation results in dynamically-managed code resources.
This vulnerability is identified as CVE-2026-47131. The attack can be executed remotely. There is not any exploit available.
You should upgrade the affected component.
GHSA
vm2 has a Sandbox Escape issue
ghsa·2026-05-29
CVE-2026-47131 [CRITICAL] CWE-913 vm2 has a Sandbox Escape issue
vm2 has a Sandbox Escape issue
### Summary
By combining `Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__")`, `Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__")`, and Node.js's `ERR_INVALID_ARG_TYPE` Error, the host's `TypeError` constructor can be obtained, which allows the escape from the sandbox.
This allows attackers to run arbitrary code.
### PoC
```js
"use strict";
const { VM } = require("vm2");
const vm = new VM();
vm.run(`
"use strict";
const getProto = Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__");
const setProto = Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__");
async function f() {
try {
await WebAssembly.compileStreaming();
} catch(e) {
setProto.call(getProto.call(e), null);
}
try {
await WebAssembly.compileStreaming();
} catch(e)
No detection rules found.
No public exploits indexed.
2026-06-12
Published