CVE-2026-47140: 
JavaScript Schwachstellenanalyse und -minderung

CVE-2026-47140 is a sandbox escape vulnerability in the vm2 npm package (NodeVM) that allows sandboxed code to bypass the builtin module denylist and execute arbitrary code in the host process. The flaw affects vm2 versions <= 3.11.3 and was published on May 18, 2026, with the GitHub Advisory Database entry updated May 29, 2026. It carries a CVSS v3.1 base score of 10.0 (Critical) (GitHub Advisory, vm2 Advisory).

The root cause is a Protection Mechanism Failure (CWE-693) in lib/builtin.js, where the DANGEROUS_BUILTINS denylist used exact-match string comparison and omitted two critical entries: process and inspector/promises. Because non-denied builtins are passed directly to the sandbox via vm.readonly(hostRequire(key)), sandboxed code can call require('process').getBuiltinModule('child_process') (available in Node.js 22+) to reload any core module regardless of the embedder's allow/deny configuration, or call require('inspector/promises').Session().post('Runtime.evaluate', ...) to evaluate arbitrary JavaScript in the host realm. The subpath form inspector/promises did not match the existing inspector denylist entry because matching was exact rather than family-prefix. This vulnerability is reachable in any NodeVM configuration that allows process, inspector/promises, or the wildcard '*' in require.builtin; it is not reachable with the default configuration where require is disabled (GitHub Advisory, vm2 Commit).

Successful exploitation allows an attacker who can submit untrusted JavaScript to a NodeVM sandbox to fully escape the sandbox and execute arbitrary code in the host Node.js process with the privileges of that process. This enables reading and writing arbitrary files, spawning child processes, accessing host environment variables and secrets, and potentially pivoting to other systems reachable from the host. The scope change (S:C) in the CVSS score reflects that the impact extends beyond the sandbox component to the entire host application and its underlying infrastructure (GitHub Advisory, vm2 Advisory).

1. Identify target: Locate an application that uses vm2's NodeVM to execute untrusted or user-supplied JavaScript with a require.builtin configuration that includes '*', 'process', or 'inspector/promises' — for example, builtin: ['*', '-child_process', '-inspector'].
2. Craft bypass payload (Method 1 — process.getBuiltinModule): Submit the following sandboxed JavaScript to reload child_process via the process builtin, bypassing the explicit exclusion:

const cp = require('process').getBuiltinModule('child_process');
module.exports = cp.execFileSync('/bin/sh', ['-c', 'id']).toString();

3. Craft bypass payload (Method 2 — inspector/promises): Alternatively, use the inspector/promises subpath to evaluate arbitrary JavaScript in the host realm:

const { Session } = require('inspector/promises');
const s = new Session();
s.connect();
s.post('Runtime.evaluate', { expression: 'require("child_process").execSync("id").toString()' });

4. Achieve host code execution: Either method spawns processes or evaluates code in the host Node.js process, granting full access to the host environment including file system, environment variables, and network (GitHub Advisory, vm2 Commit).

• Process: Unexpected child processes (e.g., /bin/sh, bash, cmd.exe) spawned as children of the Node.js process running vm2; calls to execFileSync, execSync, or spawnSync originating from within a vm2 sandbox context.
• Logs: Application logs showing require('process') or require('inspector/promises') calls within sandboxed code; Node.js inspector protocol Runtime.evaluate events originating from within a vm2 execution context.
• Network: Unexpected outbound connections from the Node.js host process to external IPs, potentially indicating reverse shell or data exfiltration activity following sandbox escape.
• File System: New or modified files written by the Node.js process in unexpected directories; presence of web shells or scripts dropped by the Node.js service account (GitHub Advisory, vm2 Commit).

Upgrade vm2 to version 3.11.4, which adds process to the DANGEROUS_BUILTINS set, promotes denylist matching to family-prefix via isDangerousBuiltin(key) (blocking inspector/promises and all future subpath variants), strips the node: URL prefix before matching, and enforces the check at both the BUILTIN_MODULES wildcard expansion path and the addDefaultBuiltin explicit-allowlist path. No configuration-based workaround fully mitigates the issue in affected versions; as an interim measure, avoid using builtin: ['*'] or explicitly allowing process or inspector/promises in NodeVM configurations that execute untrusted code. Embedders who need safe stubs for blocked modules can register them via SPECIAL_MODULES, mocks, or overrides (vm2 Release, vm2 Commit).

Coverage of this vulnerability appeared in security news outlets including Heise (in English) and SecurityOnline, which highlighted it as part of a broader set of critical sandbox escape vulnerabilities in vm2. BeyondMachines also reported on the critical sandbox escapes enabling remote code execution. The vulnerability was reported by researchers credited as spbavarva and VladimirEliTokarev (GitHub Advisory).