Executive Summary

CVE-2026-47208 is a critical security vulnerability in the vm2 library, an open source sandbox for Node.js. The flaw exists in the localPromise constructor, where the Promise species is not properly reset. This allows an attacker to override the Symbol.species property of a sandbox subclass, redirecting promise behavior to a user-controlled function.

By exploiting this, an attacker can trigger a host-realm RangeError through deep recursion, which can then be leveraged via the Function constructor to execute arbitrary code on the host system, effectively escaping the sandbox.

The vulnerability was patched in vm2 version 3.11.4 by adding a reset of the Promise species to prevent this hijacking.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to break out of the vm2 sandbox and execute arbitrary commands on the host system without any privileges, user interaction, or complex attack steps.

If you use vm2 to isolate untrusted code, an attacker could exploit this flaw to run malicious code on your server or environment, potentially leading to full system compromise.

The impact includes complete loss of confidentiality, integrity, and availability of the affected system, as indicated by the highest CVSS score of 10.0.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is specific to the vm2 Node.js library versions prior to 3.11.4 and involves a sandbox breakout via the localPromise constructor. Detection involves identifying if your system or application is using a vulnerable version of vm2.

You can check the installed version of vm2 in your project by running the following command in your project directory:

• npm list vm2

If the version is 3.11.3 or earlier, your system is vulnerable.

Additionally, you can search your codebase for usage of vm2 to confirm if it is being used:

• grep -r "require('vm2')" ./

There are no specific network detection commands or signatures mentioned for this vulnerability since it is a code execution flaw within the sandbox environment.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and immediate mitigation step is to upgrade the vm2 package to version 3.11.4 or later, where the vulnerability has been patched.

You can upgrade vm2 by running the following command in your project directory:

• npm install [email protected]

If upgrading immediately is not possible, consider restricting or monitoring the execution of untrusted code within vm2 sandboxes, as the vulnerability allows arbitrary code execution on the host.

Review your application’s use of vm2 and avoid running untrusted code until the patch is applied.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to escape the VM2 sandbox and execute arbitrary commands on the host system, which can lead to unauthorized access and control over sensitive data and systems.

Such unauthorized access and potential data breaches could result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and system security.

Therefore, if exploited, this vulnerability could compromise compliance by exposing protected data or critical systems to attackers.

Useful 0 Not Useful 0