CVE-2026-47141

EUVD-2026-36449

12.06.2026, 15:16

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin. The diagnostics_channel, async_hooks, and perf_hooks builtins are not blocked by the dangerous builtin denylist. These modules are process-wide, not sandbox-local. Sandboxed code can use them to observe host application data across the vm2 boundary. This issue has been patched in version 3.11.4.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 24%

Common Weakness Enumeration

CWE-668 - Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

References

https://github.com/patriksimek/vm2/commit/e1c48fce05189f48e71efbd32af0754efa4066bb

https://github.com/patriksimek/vm2/releases/tag/v3.11.4

https://github.com/patriksimek/vm2/security/advisories/GHSA-9g8x-92q2-p28f