vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM supports excluding public network builtins from the wildcard builtin option. With this configuration direct access to http, https, http2, net, dgram, tls, dns, and dns/promises is blocked. However, Node.js also exposes underscored internal HTTP builtins such as _http_client and _http_server. These are not blocked when the public modules are excluded. Sandboxed code can use these internal builtins to make outbound HTTP requests and open listening HTTP sockets even though the public network modules are denied. This issue has been patched in version 3.11.4.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
vm2 is a popular Node.js sandbox that restricts access to dangerous network modules like http, https, and net when configured with wildcard builtin exclusions. However, this vulnerability reveals a critical gap in that protection: Node.js exposes internal underscore-prefixed modules (_http_client, _http_server, _http_agent, and others) that provide equivalent functionality but weren't blocked by the public module filtering. This allows sandboxed code to bypass network restrictions entirely, enabling attackers to establish outbound connections and exfiltrate data despite the sandbox's intended isolation. Any application using vm2 to run untrusted scripts—including multi-tenant platforms, code execution services, and security research tools—faces direct risk of sandbox escape and data theft.
Casky's approach to detecting this attack pattern focuses on behavioral analysis rather than signature matching. Practitioners using Casky would identify anomalous module loading patterns: specifically, attempts to require underscore-prefixed or internal Node.js modules that bypass the intended builtin allowlist. While MITRE ATT&CK mappings aren't provided for this CVE, the underlying attack chain maps to Defense Evasion (T1548 - Abuse Elevation Control Mechanism) and Exfiltration (T1041 - Exfiltration Over C2 Channel). Claude's extended reasoning capabilities would help security teams understand the privilege escalation within sandbox contexts and recognize how legitimate-looking require() calls to internal modules represent a fundamental sandbox escape. Practitioners would see findings highlighting suspicious module resolution patterns and comparing actual loaded modules against configured allowlists—surfacing the critical mismatch that defines this vulnerability.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-47139. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation