Compliance Impact

This vulnerability allows sandboxed code to bypass builtin restrictions and execute arbitrary code in the host process, leading to full host process compromise.

Such a compromise can result in unauthorized file access, process spawning, and theft of environment secrets.

These impacts can lead to violations of confidentiality, integrity, and availability requirements that are critical for compliance with standards like GDPR and HIPAA.

Therefore, exploitation of this vulnerability could cause non-compliance with these regulations due to potential data breaches and unauthorized access to sensitive information.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-47140 is a critical security vulnerability in the vm2 library's NodeVM sandbox for Node.js. The vulnerability arises because the builtin denylist, which is supposed to block dangerous Node.js modules, misses certain modules like 'process' and 'inspector/promises'. This allows sandboxed code to bypass restrictions and execute arbitrary code in the host process.

Attackers can exploit this by requiring 'process' or 'inspector/promises' modules in ways that the denylist does not detect, such as using subpaths or URL-style module names. This bypass lets them access host-side execution primitives and run code outside the sandbox.

The issue was patched in version 3.11.4 by extending the denylist to include these missing modules and implementing family-prefix matching to block subpath and URL-style module names effectively.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows attackers to escape the sandbox and execute arbitrary code in the host process.

• Full host process compromise
• Unauthorized file system access
• Spawning of new processes
• Theft of environment secrets and sensitive data

Overall, this can lead to complete loss of confidentiality, integrity, and availability of the affected system.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if your system is running a vulnerable version of the vm2 library (prior to version 3.11.4) and if the NodeVM builtin denylist configuration allows access to dangerous modules such as process or inspector/promises.

You can inspect your project's dependencies to identify the vm2 version by running commands like:

• npm list vm2
• yarn list --pattern vm2

Additionally, review your NodeVM configuration for the presence of 'process', 'inspector/promises', or wildcard '*' in the require.builtin settings, which could indicate exposure to this vulnerability.

Since the vulnerability allows sandboxed code to bypass builtin restrictions, monitoring for unexpected usage of these modules or suspicious runtime behavior related to host process execution could also help in detection.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the vm2 library to version 3.11.4 or later, where the vulnerability has been patched.

If upgrading immediately is not possible, ensure that your NodeVM builtin denylist explicitly blocks 'process' and 'inspector/promises' modules, and avoid using wildcard '*' in require.builtin configurations that could allow dangerous modules.

Review and tighten your sandbox configuration to prevent access to any dangerous builtin modules, including subpath families and URL-style module names.

Monitor your application for any suspicious activity that could indicate sandbox escape attempts.

Useful 0 Not Useful 0