CRITICAL🇵🇱 Wersja polska

CVE-2026-47210

CVSS 9.8v3.1pub. 2026-06-12

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, a sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI (WebAssembly.promising / WebAssembly.Suspending). In the tested configuration, a JSPI-backed Promise can reach Promise.prototype.finally() in a way that bypasses the expected Promise-species hardening and exposes a host-originated rejection object to attacker-controlled species logic, breaking the sandbox boundary. This issue has been patched in version 3.11.4.

🤖 AI Analysis
How it works

The flaw is that a Promise based on the WebAssembly JSPI mechanism (WebAssembly.promising / WebAssembly.Suspending) can reach the Promise.prototype.finally() method in a way that bypasses the expected Promise-species hardening protection. As a result, a rejection object from the host is exposed to attacker-controlled species logic, leading to sandbox boundary bypass. An attacker providing untrusted code for execution in vm2 can thus gain full access to the host process.

Impact

An attacker can execute arbitrary code (RCE) outside the sandbox — directly in the Node.js host process, which can lead to complete server takeover, data leakage, and violation of system integrity and availability.

Mitigation & patch

vm2 should be updated to version 3.11.4 or later, in which the vulnerability has been patched. The patch is available in the GitHub repository under the v3.11.4 tag (commit 6915fa4d9bcebd47b9a4f39a1adc1aa94ef6ffc6).

Who is affected

The vm2 library in versions earlier than 3.11.4, running on Node.js environments exposing WebAssembly JSPI.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References