CVE-2026-47140

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.4

Description Sandbox escape flaws in NodeVM allow unauthenticated remote code execution on the host server. The issue occurs because the dangerous builtin denylist in lib/builtin.js misses process and inspector/promises. This allows sandboxed code to bypass restrictions and reach host-side execution primitives in two ways: using require('process').getBuiltinModule('child process') to reload child process even when excluded, or using require('inspector/promises') to expose the Inspector protocol and call Runtime.evaluate in the host process. This affects applications that allow process, inspector/promises, or the wildcard * in require.builtin.

Recommendations Update to version 3.11.4. As a temporary workaround, restrict the use of the process and inspector/promises modules or the wildcard * in the require.builtin configuration.