CVE-2026-47131: vm2 has a Sandbox Escape issue

May 29, 2026 (updated June 12, 2026)

By combining Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__"), Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__"), and Node.js’s ERR_INVALID_ARG_TYPE Error, the host’s TypeError constructor can be obtained, which allows the escape from the sandbox. This allows attackers to run arbitrary code.

References

github.com/advisories/GHSA-v6mx-mf47-r5wg
github.com/patriksimek/vm2/commit/27c525f4615e2b983f122e2bed327d810126f5c8
github.com/patriksimek/vm2/releases/tag/v3.11.4
github.com/patriksimek/vm2/security/advisories/GHSA-v6mx-mf47-r5wg
nvd.nist.gov/vuln/detail/CVE-2026-47131

Code Behaviors & Features

Detect and mitigate CVE-2026-47131 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →