PatchSiren cyber security CVE debrief
CVE-2026-47139 patriksimek CVE debrief
CVE-2026-47139 is a HIGH severity vulnerability in vm2, an open-source vm/sandbox for Node.js. The vulnerability allows sandboxed code to make outbound HTTP(S) requests and open listening HTTP sockets, despite the public network modules being denied. This is possible due to the exposure of underscored internal HTTP builtins such as _http_client and _http_server, which are not blocked when public modules are excluded.
- Vendor
- patriksimek
- Product
- vm2
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of vm2, an open-source vm/sandbox for Node.js, should be aware of this vulnerability if they are using a version prior to 3.11.4 and have configured NodeVM to exclude public network builtins.
Technical summary
Prior to version 3.11.4, NodeVM in vm2 supports excluding public network builtins from the wildcard builtin option. However, this configuration does not block access to internal HTTP builtins such as _http_client and _http_server. As a result, sandboxed code can use these internal builtins to bypass the intended restrictions and make outbound HTTP requests or open listening HTTP sockets.
Defensive priority
HIGH
Recommended defensive actions
- Update vm2 to version 3.11.4 or later.
- Review and adjust NodeVM configurations to ensure proper restrictions on public network builtins.
Evidence notes
CVE-2026-47139 has a CVSS score of 8.6 and is classified as HIGH severity. The vulnerability was published on 2026-06-12T15:16:28.273Z and last modified on 2026-06-12T17:16:23.737Z.
Official resources
CVE-2026-47139 was published on 2026-06-12T15:16:28.273Z and last modified on 2026-06-12T17:16:23.737Z.