CVE-2026-47210

Published Jun 12, 2026

Last updated a day ago

CVSS critical 9.8

Overview

Description
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, a sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI (WebAssembly.promising / WebAssembly.Suspending). In the tested configuration, a JSPI-backed Promise can reach Promise.prototype.finally() in a way that bypasses the expected Promise-species hardening and exposes a host-originated rejection object to attacker-controlled species logic, breaking the sandbox boundary. This issue has been patched in version 3.11.4.
Source
security-advisories@github.com
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-913

Social media

Hype score
Not currently trending

  1. 🚨 CRITICAL: CVE-2026-47210 (CVSS 9.8) - vm2 Node.js sandbox escape allows arbitrary code execution on host when using WebAssembly JSPI with async. Affects versions <3.11.4. Patch immediately! #CVE #PatchNow #ThreatIntel https://t.co/nt672ljtf5

    @DFIR_Lab

    13 Jun 2026

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.