Skip to content

Node.js: Four Critical Security Vulnerabilities with Maximum Rating Patched in vm2

(Image: Alfa Photo / Shutterstock.com). Attackers can once again escape the Node.js sandbox vm2 and execute malicious code on the host system. Security updates provide a remedy. The vm2 sandbox of the open-source JavaScript runtime environment Node.js continues to make headlines, and developers have now patched further “critical” security vulnerabilities. Once again, attackers are able to escape the sandbox and compromise host PCs with malicious code.

Critical software flaws. In version 3.11.4, developers have patched several vulnerabilities. Among them are four “critical” flaws with the highest possible CVSS score of 10 out of 10 (CVE-2026-47208, CVE-2026-47137, CVE-2026-47140, CVE-2026-47131). There are multiple ways to inject and execute malicious code into the host system.

Because the process and inspector/promises processes are not on the blocklist of Node.js, attackers can use them to mount a sandbox escape. Additionally, they can combine various functions to access the host system using the TypeError constructor.

Further dangers. Another “critical” vulnerability (CVE-2026-47210) enables a further sandbox escape in the context of WebAssembly JSPI. Furthermore, developers have patched three additional security vulnerabilities (CVE-2026-47139, CVE-2026-47209, CVE-2026-47135) with a “high” threat level. Further information about the vulnerabilities can be found in the security section of the project’s GitHub website [1].

Since early May, vm2 has been making headlines [2] because attackers can circumvent the sandbox. Accordingly, developers recently patched two “critical” security vulnerabilities (CVE-2026-26956, CVE-2026-45411). To date, developers have issued no warnings that attackers are already exploiting the vulnerabilities. Nevertheless, admins should not delay patching for too long.

(des [4]). URL of this article:

https://www.heise.de/-11300256

Links in this article:

https://github.com/patriksimek/vm2/security/advisories

https://www.heise.de/news/Node-js-25-Ausbrueche-aus-JavaScript-Sandbox-vm2-vorstellbar-11285063.html

heise security PRO

mailto:des@heise.de

Copyright © 2026 Heise Medien

heise security News

Share on: