Five Critical vm2 Vulnerabilities Grant Instant Node.js Host RCE

In the world of Node.js development, the vm2 library has long served as a popular mechanism for running untrusted, user-supplied JavaScript inside a restricted sandbox environment. By whitelisting specific built-in components, applications frequently treat vm2 as an absolute security boundary to protect the underlying host operating system.

However, a devastating technical disclosure has laid bare a series of five distinct security vulnerabilities that completely shatter this layer of isolation. Carrying maximum severity ratings, these flaws grant unauthenticated code full escape coverage, allowing any script running inside the sandbox to achieve Remote Code Execution (RCE) on the host server process. All five flaws affect legacy software architectures up to and including version 3.11.3.

1. NodeVM builtin denylist bypass via process and inspector/promises allows host code execution (CVE-2026-47140)

The first critical vector (CVSS 10.0) targets the NodeVM implementation layer. Under standard configurations, NodeVM establishes a denylist to actively block access to high-risk Node.js components like module, worker_threads, cluster, vm, repl, and inspector.

However, developers missed two critical avenues. The denylist completely forgot to account for process and inspector/promises. If an application’s settings allow wildcards or these specific components inside its require.builtin configurations, a sandboxed script can simply call them up to interact directly with host-side execution primitives, fully compromising server secrets, local files, and system processes.

2.vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass (CVE-2026-47210)

Earning a CVSS score of 9.8, this flaw compromises environments running asynchronous code support on modern runtimes that expose WebAssembly JavaScript Promise Integration (JSPI) features, such as Node 26.

Due to a logical flaw in how JavaScript handles object constructor lineages, a JSPI-backed Promise can reach the global Promise.prototype.finally() function in a way that completely evades vm2‘s internal security hardening. The breakdown exposes a host-originated error object straight to attacker-controlled logic, allowing the script to jump the boundary to drain host tokens, credentials, and application databases.

3. The Patch Bypass (CVE-2026-47137)

The third flaw (CVSS 10.0) represents a textbook example of a security patch failure. A prior update (CVE-2023-37903) attempted to block dangerous nested environments by checking if a sandbox combination specified nesting options alongside disabled require features.

4. Cryptographic Handshake Escapes (CVE-2026-47208 & CVE-2026-47131)

The final two vulnerabilities target deeper memory structures within JavaScript’s core object types:

• Promise Species Breakout (CVE-2026-47208): To ensure a rejected promise is consistently processed safely, the localPromise constructor was modified to pass an internal function. However, developers forgot to clear the promise’s constructor species definitions. By passing a custom promise designed with a fabricated rejection method, an attacker can extract a raw host error object, break the sandbox containment matrix, and achieve RCE.

• Prototype Prototype Hijack (CVE-2026-47131): By leveraging advanced property lookups to bind _lookupGetter and _lookupSetter methods straight against native internal Buffer objects, an attacker can trick the system into surfacing Node.js’s internal ERR_INVALID_ARG_TYPE error. This clever trick allows the script to harvest the host environment’s authentic TypeError constructor, escaping the sandbox completely.

Remediation Directive

Because these five vulnerabilities compromise the core security promise of vm2, keeping legacy versions active in production poses an extreme risk. There are no available configuration workarounds capable of mitigating these flaws if untrusted scripts are allowed to run.

Development teams and systems administrators must immediately update their dependency manifests, migrating all active installations to the patched baseline of version 3.11.4 or higher to seal these breakout channels permanently.