CVE-2026-47208: 
JavaScript 脆弱性の分析と軽減

CVE-2026-47208 is a critical sandbox breakout vulnerability in vm2, an open-source Node.js sandbox library, classified as "Sandbox Breakout Using Promise Species" (GHSA-76w7-j9cq-rx2j). It affects all vm2 versions up to and including 3.11.3, and was disclosed by researcher XmiliaH. The vulnerability was published to the GitHub Advisory Database on May 29, 2026, and to the NVD on June 12, 2026. It carries a CVSS v3.1 base score of 10.0 (Critical) (Github Advisory, vm2 Security Advisory).

The root cause is classified as CWE-913 (Improper Control of Dynamically-Managed Code Resources). The localPromise constructor in lib/setup-sandbox.js calls apply(globalPromisePrototypeThen, this, [undefined, localPromiseSwallow]) to attach an internal swallow tail to every sandbox-constructed Promise, but unlike all other call sites in the bridge, it was missing a preceding call to resetPromiseSpecies(this). This omission allows a sandbox subclass to override Symbol.species (e.g., class FakePromise extends Promise { static get [Symbol.species]() { return ct; } }) and redirect V8's internal (resolve, reject) capability to a user-controlled function. Combined with a recursion-overflow primitive (e.stack after deep recursion) to generate a host-realm RangeError inside PromiseResolveThenableJob, the raw host error bypasses all sandbox sanitizers and lands in the attacker's collector, from which ex.constructor.constructor("return process")() yields access to the host Function constructor and enables arbitrary command execution (vm2 Security Advisory, Patch Commit).

Successful exploitation allows an attacker who can execute arbitrary JavaScript inside a vm2 sandbox to fully escape the sandbox and execute arbitrary commands on the host system with the privileges of the process running vm2. This results in complete compromise of confidentiality, integrity, and availability of the host system. The scope change (S:C in CVSS) reflects that the impact extends beyond the sandbox component to the underlying host, enabling lateral movement, data exfiltration, and persistent access (Github Advisory, vm2 Security Advisory).

1. Precondition: Attacker must be able to supply and execute arbitrary JavaScript code within a vm2 sandbox running vm2 <= 3.11.3 (e.g., a code execution service, plugin system, or REPL backed by vm2).
2. Define a custom Error class and stack-overflow function: Inside the sandbox, declare class E extends Error {} and a recursive function so(d) that triggers a deep call stack, accesses e.stack to force V8 to format a host-realm RangeError, and throws it.
3. Hijack Promise species: Declare class FakePromise extends Promise { static get [Symbol.species]() { return ct; } } where ct is a user-controlled variable. This overrides the species protocol used by the localPromise swallow-tail call.
4. Capture V8's internal reject capability: Define doCatch(f) which sets ct = function(e) { e(f, v => { ex = v; p.resolve(); }) } and constructs new FakePromise(r => r()). This causes V8 to call new ct(internalExecutor), rebinding V8's internal reject to the sandbox-controlled collector.
5. Binary-search the overflow depth: Use an async loop to binary-search the recursion depth at which the RangeError originates inside V8's host C++ code (not sandbox code), ensuring the error is a host-realm object.
6. Receive raw host error: When await doCatch(() => so(mid)) triggers the overflow at the correct depth, V8's PromiseResolveThenableJob delivers the raw host-realm RangeError to the sandbox collector (ex).
7. Escape sandbox and execute commands: Check ex.name === "RangeError" && !(ex instanceof RangeError) to confirm the host-realm error, then call ex.constructor.constructor("return process")().mainModule.require('child_process').execSync('touch pwned') to execute arbitrary OS commands on the host (vm2 Security Advisory, Patch Commit).

• Process: Unexpected child processes spawned by the Node.js process running vm2 (e.g., sh, bash, cmd.exe, or other shells); use of child_process.execSync or child_process.exec from within the vm2 process context.
• File System: Unexpected files created by the vm2 process (e.g., a file named pwned as in the PoC); new scripts, cron jobs, or persistence mechanisms written by the Node.js service account.
• Logs: Application logs showing deeply nested async operations or unusual Promise-related stack traces; Node.js crash logs or unhandled rejection warnings associated with RangeError at unusual recursion depths.
• Network: Outbound connections from the vm2 host process to unknown external IPs, potentially indicating reverse shell or data exfiltration activity following sandbox escape.
• Code Patterns (Detection): Sandbox input containing Symbol.species, FakePromise extends Promise, constructor.constructor, or child_process strings should be treated as highly suspicious and flagged for review (vm2 Security Advisory, Patch Commit).

The vendor has released vm2 version 3.11.4, which patches this vulnerability by adding resetPromiseSpecies(this) immediately before the swallow-tail apply(globalPromisePrototypeThen, this, [undefined, localPromiseSwallow]) call in lib/setup-sandbox.js, ensuring the species protocol always resolves to localPromise regardless of sandbox subclass overrides (vm2 Release v3.11.4, Patch Commit). All users should upgrade to vm2 >= 3.11.4 immediately. As a temporary workaround where patching is not immediately possible, restrict network access to systems running vulnerable vm2 instances and minimize the privileges of the process running vm2 to limit the blast radius of a successful escape.

The vulnerability received coverage from security news outlets including Heise (reporting on multiple critical vm2 vulnerabilities closed in the same release) and SecurityOnline, which covered the broader set of vm2 sandbox escape vulnerabilities (Heise, SecurityOnline). BeyondMachines also highlighted the critical sandbox escapes enabling remote code execution (BeyondMachines). The vulnerability was reported by researcher XmiliaH and credited in the official advisory.