Back to CVE List

CVE-2026-47131

CRITICAL SEVERITY

CVSS Score & Metrics

Base Score
10.0 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__"), Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__"), and Node.js's ERR_INVALID_ARG_TYPE Error, the host's TypeError constructor can be obtained, which allows the escape from the sandbox. This allows attackers to run arbitrary code. This issue has been patched in version 3.11.4.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-913
Source
GitHub
Vendor
npm
Product
vm2

External References

Discussion (0)

Add Comment

No comments yet. Be the first!