vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
vm2 is a widely-used Node.js sandboxing library designed to safely execute untrusted code by restricting access to dangerous built-in modules. However, versions prior to 3.11.4 contain a critical oversight: while the denylist blocks module, worker_threads, cluster, vm, repl, and inspector, it fails to restrict the process and inspector/promises modules. An attacker can exploit this gap to access host-side execution primitives directly from sandboxed code, completely bypassing the intended security boundaries. This vulnerability affects any application using vm2 as a security control to isolate untrusted scripts—including code execution platforms, templating engines, and multi-tenant systems. The CVSS 10.0 rating reflects the severity: unrestricted code execution in the host process with no user interaction required.
While this CVE lacks direct MITRE ATT&CK technique mappings, the attack pattern aligns with CWE-693 (Protection Mechanism Failure) and represents a classic privilege escalation and execution scenario. Practitioners using Casky.ai would benefit from skills that detect sandbox escape indicators: unauthorized module imports, unexpected process object access patterns, and anomalous execution context transitions. Extended reasoning across Casky's 754 security skills would help identify behavioral anomalies such as sandboxed code attempting to spawn child processes, access environment variables, or load native modules—all telltale signs of escape attempts. Teams should monitor for vm2 usage in their codebase, implement input validation that assumes sandboxing may fail, and immediately upgrade to version 3.11.4 or later to eliminate this attack surface entirely.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-47140. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation