cbcvebase.
CVE-2026-47140
published 2026-06-12

CVE-2026-47140: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads…

PriorityP265critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.54%
41.1th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.

Affected

4 ranges
VendorProductVersion rangeFixed in
ansible-automation-platformautomation-portal
patriksimekvm2< 3.11.43.11.4
rhdhrhdh-hub-rhel9
vm2_projectvm2>= 0 < 3.11.43.11.4

Detection & IOCsextracted from sources · hover to see the quote

  • Sandboxed code leveraging the `process` built-in (missing from vm2 denylist) to reach host-side execution primitives should be flagged as a sandbox escape attempt.
  • Sandboxed code leveraging `inspector/promises` (missing from vm2 denylist) to reach host-side execution primitives should be flagged as a sandbox escape attempt.
  • Monitor vm2 versions prior to 3.11.4 in Node.js environments; the vulnerable NodeVM sandbox does not block `process` or `inspector/promises`, enabling arbitrary code execution in the host process.
  • Alert on user-supplied JavaScript being routed into a vm2 NodeVM sandbox instance, as this is the required exploitation condition for CVE-2026-47140.
  • ·Red Hat Developer Hub (rhdh/rhdh-hub-rhel9) and Ansible Automation Platform carry vm2 as a transitive dependency but do not invoke the vulnerable sandbox in production code paths; exploitation risk is reduced but the package is still present.
  • ·No Red Hat-endorsed mitigation short of patching is available for this vulnerability.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.