CVE-2026-47141
vm2 is an open source vm/sandbox for Node.js
Published: 2026-06-12 · Last updated: 2026-06-13
Severity and scoring
- CWE
- CWE-668
Description
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin. The diagnostics_channel, async_hooks, and perf_hooks builtins are not blocked by the dangerous builtin denylist. These modules are process-wide, not sandbox-local. Sandboxed code can use them to observe host application data across the vm2 boundary. This issue has been patched in version 3.11.4.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-47141
- [Other]https://github.com/patriksimek/vm2/commit/e1c48fce05189f48e71efbd32af0754efa4066bb
- [Other]https://github.com/patriksimek/vm2/releases/tag/v3.11.4
- [Other]https://github.com/patriksimek/vm2/security/advisories/GHSA-9g8x-92q2-p28f
- [Other]https://github.com/patriksimek/vm2/security/advisories/GHSA-9g8x-92q2-p28f
Related CVEs
Same CWE
- CVE-2026-53826 — OpenClaw before 2026.4.26 contains an information disclosure vulnerability in sandboxed session spawning that exposes the real workspace ... (4.3 MEDIUM)
- CVE-2026-48096 — OpenFGA is an authorization/permission engine built for developers (5.0 MEDIUM)
- CVE-2026-42535 — A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV proper... (9.1 CRITICAL)
- CVE-2025-15653 — Dräger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations contain a local security vulnerability that allows unau... (6.8 MEDIUM)
- CVE-2026-46430 — Algernon is a small self-contained pure-Go web server (4.3 MEDIUM)