CVE-2026-47131: 
JavaScript Analyse et atténuation des vulnérabilités

CVE-2026-47131 is a critical sandbox escape vulnerability in the vm2 JavaScript sandbox library for Node.js, allowing unauthenticated attackers to execute arbitrary code on the host system. It affects all versions of vm2 up to and including 3.11.3, with the fix released in version 3.11.4. The vulnerability was published by the maintainer on May 18, 2026, and added to the GitHub Advisory Database on May 29, 2026. It carries a CVSS v3.1 base score of 10.0 (Critical) (GitHub Advisory, vm2 Advisory).

The root cause is classified as CWE-913 (Improper Control of Dynamically-Managed Code Resources). The attack exploits a flaw in vm2's bridge layer (lib/bridge.js): sandbox code can resolve the host's Object.prototype.__proto__ setter via Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__"), then invoke it through the apply trap with a host object as this. Because the mutation occurs inside the host intrinsic rather than through any proxy write trap, all sandbox write protections are bypassed. The attacker then triggers a host-realm TypeError via await WebAssembly.compileStreaming(), severs the host TypeError.prototype chain using the obtained setter, and causes a second WebAssembly.compileStreaming() rejection — this time the bridge's proto-walk fails to find a registered mapping and returns the raw host error unwrapped, exposing host Function via e.constructor.constructor, enabling full RCE. A public PoC is included in the advisory (GitHub Advisory, vm2 Commit).

Successful exploitation results in a complete sandbox escape leading to remote code execution on the host Node.js process with no privileges or user interaction required. An attacker can execute arbitrary system commands (e.g., via child_process.execSync), access all data available to the host process, and potentially pivot to other systems or services reachable from the compromised host. The scope change in the CVSS score reflects that the impact extends beyond the sandbox component to the underlying host environment, with full confidentiality, integrity, and availability compromise (GitHub Advisory, vm2 Advisory).

1. Identify target: Locate a Node.js application that uses vm2 ≤ 3.11.3 to execute untrusted or user-supplied JavaScript code in a sandboxed context.
2. Obtain host prototype accessors: Inside the vm2 sandbox, resolve the host's Object.prototype.__proto__ getter and setter by executing:

   const getProto = Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__");
   const setProto = Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__");

3. Trigger first host-realm error: Use await WebAssembly.compileStreaming() inside an async function to generate a host-realm TypeError. In the catch block, sever the host TypeError.prototype chain:

   setProto.call(getProto.call(e), null);

   This invokes the host __proto__ setter via the apply trap, bypassing all proxy write protections.
4. Trigger second host-realm error: Call await WebAssembly.compileStreaming() again. The bridge's proto-walk now fails to find a registered mapping for the fresh TypeError instance (because the prototype chain was severed), and the raw host error object is returned unwrapped to sandbox code.
5. Obtain host Function constructor: Read e.constructor.constructor from the unwrapped host TypeError to obtain the host Function constructor.
6. Execute arbitrary code: Use the host Function to access process and invoke system commands:

   new HostFunction("return process")().mainModule.require("child_process").execSync("echo pwned", { stdio: "inherit" });

   (GitHub Advisory, vm2 Commit)

• Logs: Node.js application logs showing unexpected execution of child_process methods (e.g., execSync, exec, spawn) originating from within a vm2 sandbox context; errors or stack traces referencing WebAssembly.compileStreaming in rapid succession within a single request lifecycle.
• Process: Unexpected child processes spawned by the Node.js process (e.g., /bin/sh, bash, cmd.exe, curl, wget) with no legitimate application trigger; unusual process trees where node is the parent of system utility processes.
• File System: Unexpected files created or modified by the Node.js process user account (e.g., web shells, cron entries, SSH authorized_keys modifications); presence of files named pwned or similar test artifacts in writable directories.
• Network: Outbound connections from the Node.js server to unexpected external IPs or domains, particularly reverse shell callbacks or data exfiltration traffic initiated by the application process.
• Application Behavior: vm2 sandbox throwing VMError: Operation not permitted at unusual rates (may indicate failed exploit attempts against patched versions or detection of the apply-trap blocklist).

Upgrade vm2 to version 3.11.4 or later, which includes a two-layer structural fix in lib/bridge.js: (A) the apply trap now caches and refuses invocations of host prototype-mutating intrinsics (Object.prototype.__proto__ setter, Object.setPrototypeOf, Reflect.setPrototypeOf, Object.defineProperty, Object.defineProperties, Reflect.defineProperty, __defineSetter__, __defineGetter__) including one layer of indirection through Function.prototype.{call,apply,bind} and Reflect.{apply,construct}; (B) thisEnsureThis now cache-checks mappingOtherToThis before the proto-walk, so previously-bridged host values return the existing proxy even if their prototype chain is tampered. There is no known configuration-based workaround — the only remediation is upgrading to the patched version (vm2 Release, GitHub Advisory).

The vulnerability received coverage from Heise, which reported on four critical maximum-severity security gaps in vm2 being closed simultaneously (Heise). SecurityOnline also covered the vm2 sandbox escape vulnerabilities in the context of Node.js RCE risks (SecurityOnline). BeyondMachines noted the critical nature of the sandbox escapes enabling remote code execution (BeyondMachines). The release of v3.11.4 simultaneously patched ten advisories, signaling a significant security audit effort by the maintainer.