PatchSiren cyber security CVE debrief
CVE-2026-47131 patriksimek CVE debrief
CVE-2026-47131 is a critical vulnerability in vm2, an open-source vm/sandbox for Node.js. The vulnerability allows attackers to escape the sandbox and run arbitrary code. This is achieved by combining Buffer.call.call({}.__lookupGetter__, Buffer, '__proto__'), Buffer.call.call({}.__lookupSetter__, Buffer, '__proto__'), and Node.js's ERR_INVALID_ARG_TYPE Error, which allows the host's TypeError constructor to be obtained. The issue has been patched in version 3.11.4.
- Vendor
- patriksimek
- Product
- vm2
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-13
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-13
Who should care
Users of vm2, an open-source vm/sandbox for Node.js, should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 3.11.4 or later.
Technical summary
The vulnerability has a CVSS score of 10 and is classified as CRITICAL. It allows attackers to escape the sandbox and run arbitrary code. The vulnerability is caused by a combination of factors, including the use of Buffer.call.call() and Node.js's ERR_INVALID_ARG_TYPE Error.
Defensive priority
High
Recommended defensive actions
- Update vm2 to version 3.11.4 or later.
- Review and monitor Node.js applications that use vm2 for potential exploitation attempts.
Evidence notes
The vulnerability was patched in version 3.11.4. References to the patch and advisory can be found at [ref-5](https://github.com/patriksimek/vm2/releases/tag/v3.11.4), [ref-6](https://github.com/patriksimek/vm2/security/advisories/GHSA-v6mx-mf47-r5wg), and [ref-4](https://github.com/patriksimek/vm2/commit/27c525f4615e2b983f122e2bed327d810126f5c8).
Official resources
CVE-2026-47131 was published on 2026-06-12T15:16:27.870Z and modified on 2026-06-13T04:17:30.383Z.