cbcvebase.
CVE-2026-47210
published 2026-06-12

CVE-2026-47210: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, a sandbox escape vulnerability in vm2 allows arbitrary code execution in the host…

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.51%
39.4th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, a sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI (WebAssembly.promising / WebAssembly.Suspending). In the tested configuration, a JSPI-backed Promise can reach Promise.prototype.finally() in a way that bypasses the expected Promise-species hardening and exposes a host-originated rejection object to attacker-controlled species logic, breaking the sandbox boundary. This issue has been patched in version 3.11.4.

Affected

4 ranges
VendorProductVersion rangeFixed in
ansible-automation-platformautomation-portal
patriksimekvm2< 3.11.43.11.4
rhdhrhdh-hub-rhel9
vm2_projectvm2>= 0 < 3.11.43.11.4

Detection & IOCsextracted from sources · hover to see the quote

  • Sandbox escape occurs when untrusted code uses async support on runtimes exposing WebAssembly JSPI (WebAssembly.promising / WebAssembly.Suspending); monitor for use of these APIs within vm2 sandbox contexts
  • Attack vector involves a JSPI-backed Promise reaching Promise.prototype.finally() to bypass Promise-species hardening and expose a host-originated rejection object to attacker-controlled species logic; look for overriding of Promise[Symbol.species] or Promise.prototype.finally within sandboxed code
  • ·Vulnerable only when untrusted code is executed with async support on runtimes that expose WebAssembly JSPI; standard deployments of Red Hat Developer Hub and Ansible Automation Platform do not invoke the vulnerable sandbox functionality in production code paths
  • ·Fix is available in vm2 version 3.11.4; upgrade from any prior version to remediate

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.