vm2 Sandbox Library Exposes Three Critical CVSS 10.0 Vulnerabilities in a 12‑Bug Sweep

1. Event Overview

vm2 is a widely used Node.js sandbox library that isolates untrusted scripts. A recent security audit submitted twelve vulnerability reports, three of which received a perfect CVSS 10.0 score, indicating maximum severity.

The affected range covers all vm2 versions up to 3.11.3, with Node.js 26 environments being especially risky.

2. Technical Analysis: How the Three Critical Bugs Work

2.1 CVE‑2026‑47137 – Check‑then‑use mismatch

The flaw is a classic TOCTOU (time‑of‑check‑to‑time‑of‑use) variant in parameter validation. In nodevm.js line 263 the code checks:

if (options.nesting === true && options.require === false) { throw new VMError('...'); }

When the require option is omitted, its value is undefined, so the strict equality check fails and the guard is bypassed. Later, a destructuring default assigns requireOpts = false, effectively treating the missing option as require: false, but the security check has already been skipped.

Attack code creates an outer NodeVM with nesting: true and no require option, then spawns an inner sandbox with require: { builtin: ['child_process'] }, allowing execution of child_process.execSync('id') inside the host.

2.2 CVE‑2026‑47210 – WebAssembly JSPI and Promise integration

This vulnerability exploits the WebAssembly JavaScript Promise Integration (JSPI) mode together with the .finally() method. A rejected Promise created in the host propagates a controlled species constructor, which can be redirected to the host’s process object, granting the sandbox code a reference to process and enabling arbitrary command execution.

2.3 CVE‑2026‑47140 – Deny‑list bypass

vm2 maintains a deny‑list that blocks dangerous modules such as child_process. However, the process and inspector/promises modules are not on the list. An attacker can call process.getBuiltinModule('child_process') to reload the blocked module or use the Inspector protocol to run arbitrary JavaScript in the host process.

3. Impact and Risk Assessment

Beyond the three CVSS 10.0 bugs, a total of twelve issues were disclosed, most scoring 9.8 or higher. Unpatched CVEs 2026‑44008 and 2026‑44009 remain without fixes.

High‑risk scenarios include online code‑execution platforms, automated testing environments, plugin systems, and educational coding platforms that rely on vm2 for isolation.

Any application using NodeVM or VM with the nesting and require options should audit its configuration immediately.

4. Mitigation Recommendations

Immediate actions :

Upgrade vm2 to version 3.11.4 or later.

If upgrade is not possible, apply temporary mitigations:

Explicitly set require: false.

Disable the nesting option.

Long‑term solutions :

Consider stronger isolation mechanisms such as gVisor, lightweight VMs (e.g., Firecracker), or dedicated WebAssembly runtimes like Wasmtime or Wasmer.

5. Conclusion

The vm2 author acknowledges the recurring nature of these bugs; each fix is quickly followed by new discoveries, reflecting vm2’s extensive use in the Node.js ecosystem. Developers should upgrade to 3.11.4 without delay, and, where possible, disable nesting and set require to false. Ultimately, sandboxing is not a silver bullet—high‑security workloads should adopt VM‑level isolation.