CVE-2026-47141

UNKNOWN 0.0

vm2: NodeVM observability builtins leak host process and HTTP request data

CVSS Score

0.0

EPSS Score

0.1%

EPSS Percentile

25th

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin. The diagnostics_channel, async_hooks, and perf_hooks builtins are not blocked by the dangerous builtin denylist. These modules are process-wide, not sandbox-local. Sandboxed code can use them to observe host application data across the vm2 boundary. This issue has been patched in version 3.11.4.

CWE	CWE-668
Vendor	patriksimek
Product	vm2
Published	Jun 12, 2026

Stay Ahead of the Next One

Get instant alerts for patriksimek vm2

Be the first to know when new unknown vulnerabilities affecting patriksimek vm2 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

patriksimek / vm2

< 3.11.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/patriksimek/vm2/security/advisories/GHSA-9g8x-92q2-p28f github.com: https://github.com/patriksimek/vm2/commit/e1c48fce05189f48e71efbd32af0754efa4066bb github.com: https://github.com/patriksimek/vm2/releases/tag/v3.11.4