Skip to main content

vm2 EUVDEUVD-2026-36449

| CVE-2026-47141 MEDIUM
Exposure of Resource to Wrong Sphere (CWE-668)
2026-05-29 https://github.com/patriksimek/vm2 GHSA-9g8x-92q2-p28f
6.9
CVSS 4.0 · Vendor: https://github.com/patriksimek/vm2
Share

Severity by source

Vendor (https://github.com/patriksimek/vm2) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
8.6 MEDIUM
qualitative

Primary rating from Vendor (https://github.com/patriksimek/vm2).

CVSS VectorVendor: https://github.com/patriksimek/vm2

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 12, 2026 - 15:22 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
May 29, 2026 - 18:51 vuln.today
Analysis Generated
May 29, 2026 - 18:51 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 88 npm packages depend on vm2 (4 direct, 84 indirect)

Ecosystem-wide dependent count for version 3.11.4.

DescriptionCVE.org

Summary

NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin.

The following builtins are not blocked by the dangerous builtin denylist:

text
diagnostics_channel
async_hooks
perf_hooks

These modules are process-wide, not sandbox-local. Sandboxed code can use them to observe host application data across the vm2 boundary.

Note: It is a host data exposure issue. The impact depends on whether the host application allows these builtins and uses HTTP, async request context, diagnostics channels, or performance marks in the same process.

Details

Non-denied builtins are exposed to the sandbox through lib/builtin.js:

js
builtins.set(key, special ? special : vm => vm.readonly(hostRequire(key)));

diagnostics_channel, async_hooks, and perf_hooks are not denied. These modules expose host process state rather than sandbox-local state.

Confirmed examples:

  1. diagnostics_channel lets sandboxed code subscribe to Node.js HTTP diagnostic channels such as http.server.request.start. The sandbox receives host HTTP request objects and can read headers such as Authorization or session tokens.
  2. async_hooks.executionAsyncResource() lets sandboxed code read the current host AsyncResource. If the host stores request/user data on that resource, the sandbox can read it.
  3. perf_hooks.performance.getEntriesByType('mark') lets sandboxed code read host performance timeline entries.

PoC

Run from the vm2 repository root:

bash
node poc/observability-builtins-info-leak.js

observability-builtins-info-leak.js

The PoC uses only the specific builtin being tested in each section.

It confirms:

text
diagnostics_channel: sandbox reads host HTTP request headers
async_hooks: sandbox reads host AsyncResource data
perf_hooks: sandbox reads host performance mark names

Example impact from the PoC:

text
authorization: Bearer HOST_HTTP_SECRET_...
x-session-token: HOST_HTTP_SECRET_...

These values are sent to a host HTTP server, but the sandbox reads them through diagnostics_channel.

<img width="997" height="566" alt="Screenshot 2026-05-10 at 1 13 20 PM" src="https://github.com/user-attachments/assets/36a7d600-8b53-4bfe-ab06-4e6dcfad5015" />

Impact

An attacker who can run untrusted JavaScript inside NodeVM with affected builtin settings can observe data from the host process.

In a real application, this may expose HTTP request headers, authorization tokens, session tokens, request context values, user identifiers, or other sensitive diagnostics data from the host application or from other users.

Suggested fix

Treat process-wide observability modules as dangerous builtins for untrusted sandboxes.

At minimum, consider blocking:

text
diagnostics_channel
async_hooks
perf_hooks

These modules are not sandbox-local and can expose host process state across the vm2 boundary.

AnalysisAI

Host process data leakage in vm2 (npm/vm2 <= 3.11.3) allows untrusted JavaScript executing inside a NodeVM sandbox to read sensitive host-process state - including HTTP Authorization headers, session tokens, and AsyncLocalStorage request context - by requiring process-wide observability builtins that were incorrectly absent from the DANGEROUS_BUILTINS denylist. The affected modules (diagnostics_channel, async_hooks, perf_hooks) are Node.js process-wide singletons, not sandbox-local constructs, so granting sandbox access to them exposes all host process data flowing through those channels. A publicly available exploit code exists confirming extraction of Bearer tokens and x-session-token headers from live host HTTP requests; this is not confirmed actively exploited (not in CISA KEV).

Technical ContextAI

vm2 is a widely-used Node.js sandboxing library (pkg:npm/vm2) that restricts untrusted JavaScript by filtering access to Node.js built-in modules through a DANGEROUS_BUILTINS denylist enforced in lib/builtin.js. CWE-668 (Exposure of Resource to Wrong Sphere) is the root cause: the affected modules - diagnostics_channel, async_hooks, and perf_hooks - are process-wide singletons, not sandbox-local constructs. When allowed through require.builtin, diagnostics_channel enables subscription to Node.js internal HTTP lifecycle events (e.g., http.server.request.start), yielding full IncomingMessage objects with all headers; async_hooks.executionAsyncResource() exposes the current host AsyncResource or AsyncLocalStorage context, commonly used by host applications to propagate per-request identity and credentials; and perf_hooks.performance.getEntriesByType('mark') enumerates host performance timeline entries. The commit diff also reveals that v8 (heap snapshot/query access) was included in the same fix, extending the threat surface beyond what the original advisory description enumerated. Prior enforcement via BUILTIN_MODULES filter and addDefaultBuiltin rejection correctly blocked modules in the original DANGEROUS_BUILTINS list but left these four modules unaddressed.

RemediationAI

Upgrade vm2 to version 3.11.4 (vendor-released patch: 3.11.4), which extends the DANGEROUS_BUILTINS denylist in lib/builtin.js to include diagnostics_channel, async_hooks, perf_hooks, and v8, reusing the existing two-layer enforcement (BUILTIN_MODULES filter and addDefaultBuiltin rejection with family-prefix and node:-normalised matching via isDangerousBuiltin). The patch commit is at https://github.com/patriksimek/vm2/commit/e1c48fce05189f48e71efbd32af0754efa4066bb and the release at https://github.com/patriksimek/vm2/releases/tag/v3.11.4. The fix preserves mock and override escape hatches, so legitimate uses of these modules via controlled configuration are unaffected. If immediate upgrade is not feasible, audit all NodeVM instantiation sites and explicitly exclude diagnostics_channel, async_hooks, perf_hooks, and v8 from any require.builtin allowlist - removing them from the list prevents sandbox access to these modules without requiring the library patch. As an architectural compensating control, run NodeVM sandboxes in isolated child processes or worker threads with no shared event loop with the host HTTP server; this prevents cross-process access to diagnostic channels entirely, though it introduces IPC latency overhead. Do not rely on application-level filtering of sandbox output alone, as the data exposure occurs inside the sandbox before any output is returned.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Vendor StatusVendor

Share

EUVD-2026-36449 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy