CVE-2026-47141: NodeVM observability builtins leak host process and HTTP request data

May 29, 2026 (updated June 12, 2026)

NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin.

The following builtins are not blocked by the dangerous builtin denylist:

diagnostics_channel
async_hooks
perf_hooks

These modules are process-wide, not sandbox-local. Sandboxed code can use them to observe host application data across the vm2 boundary.

Note: It is a host data exposure issue. The impact depends on whether the host application allows these builtins and uses HTTP, async request context, diagnostics channels, or performance marks in the same process.

References

github.com/advisories/GHSA-9g8x-92q2-p28f
github.com/patriksimek/vm2/commit/e1c48fce05189f48e71efbd32af0754efa4066bb
github.com/patriksimek/vm2/releases/tag/v3.11.4
github.com/patriksimek/vm2/security/advisories/GHSA-9g8x-92q2-p28f
nvd.nist.gov/vuln/detail/CVE-2026-47141

Code Behaviors & Features

Detect and mitigate CVE-2026-47141 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →