Improper Control of Dynamically-Managed Code Resources Affecting org.webjars.npm:vm2 package, versions [0,]
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-ORGWEBJARSNPM-17111322
- published1 Jun 2026
- disclosed29 May 2026
- creditRealHurrison
Introduced: 29 May 2026
NewCVE-2026-47210 (opens in a new tab)How to fix?
A fix was pushed into the master branch but not yet published.
Overview
org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.
Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources through the WebAssembly.promising and WebAssembly.Suspending JSPI APIs in lib/setup-sandbox.js. An attacker can reach host-realm Promise.prototype methods from a sandbox-visible promise, install an attacker-controlled constructor getter, and drive Promise.prototype.finally to hand a raw host error to sandbox code by instantiating a JSPI-enabled wasm module and triggering a rejection. That raw host object lets the attacker recover the host Function constructor and execute code in the host realm, breaking out of the VM and exposing the underlying process.