Protection Mechanism Failure in vm2 | CVE-2026-47139

Q: How to fix?

Upgrade vm2 to version 3.11.4 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-VM2-17111337
published31 May 2026
disclosed29 May 2026
creditspbavarva

Report a new vulnerability Found a mistake?

Introduced: 29 May 2026

NewCVE-2026-47139 (opens in a new tab) CWE-693 (opens in a new tab)

How to fix?

Upgrade vm2 to version 3.11.4 or higher.

Overview

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Protection Mechanism Failure through the NodeVM builtin wildcard expansion in lib/builtin.js. An attacker can load Node’s private underscored network and stream builtins by supplying builtin: ['*', '-http', '-https', '-net', '-dgram', '-tls', '-dns', '-http2'] and then requiring modules such as _http_client, _http_server, or _tls_wrap. This lets sandboxed code make outbound HTTP requests or open listening sockets despite the embedder’s network exclusions, exposing localhost services, cloud metadata endpoints, and internal admin interfaces to requests originating from the host process.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
High
Integrity (SI)
Low
Availability (SA)
None

Protection Mechanism Failure Affecting vm2 package, versions <3.11.4

Severity