Node.js: Four critical security gaps with maximum rating in vm2 closed

The vm2 sandbox of the open-source JavaScript runtime environment Node.js just can't escape the headlines, and the developers are now closing further “critical” security vulnerabilities. Once again, attackers can break out of the sandbox and compromise host PCs with malicious code.

Critical software vulnerabilities

In version 3.11.4, the developers have closed several vulnerabilities. Among them are four “critical” flaws with the highest possible CVSS score of 10 out of 10 (CVE-2026-47208, CVE-2026-47137, CVE-2026-47140, CVE-2026-47131). There are several ways to push and execute malicious code on the host system.

Because the processes process and inspector/promises are not on Node.js's blocklist, attackers can use them to break out of the sandbox. Additionally, they can combine various functions to access the host system via the TypeError constructor.

Even more dangers

Another “critical” vulnerability (CVE-2026-47210) allows for another sandbox breakout in the context of WebAssembly JSPI. Furthermore, the developers have closed three security vulnerabilities (CVE-2026-47139, CVE-2026-47209, CVE-2026-47135) with the threat level “high.” Further information on the vulnerabilities can be found in the security section of the project's GitHub website.

vm2 has been making headlines since the beginning of May because attackers can bypass the sandbox. Accordingly, the developers recently closed two “critical” security vulnerabilities (CVE-2026-26956, CVE-2026-45411). So far, there are no warnings from the developers that attackers are already exploiting the vulnerabilities. Nevertheless, administrators should not delay patching for too long.

(des)