Improper Control of Dynamically-Managed Code Resources Affecting vm2 package, versions <3.11.4
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-VM2-17111321
- published31 May 2026
- disclosed29 May 2026
- creditRealHurrison
Introduced: 29 May 2026
NewCVE-2026-47210 (opens in a new tab)How to fix?
Upgrade vm2 to version 3.11.4 or higher.
Overview
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.
Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources through the WebAssembly.promising and WebAssembly.Suspending JSPI APIs in lib/setup-sandbox.js. An attacker can reach host-realm Promise.prototype methods from a sandbox-visible promise, install an attacker-controlled constructor getter, and drive Promise.prototype.finally to hand a raw host error to sandbox code by instantiating a JSPI-enabled wasm module and triggering a rejection. That raw host object lets the attacker recover the host Function constructor and execute code in the host realm, breaking out of the VM and exposing the underlying process.