Lucene search
K

4 matches found

Vulnrichment
Vulnrichment
added 2026/06/12 2:15 p.m.9 views

CVE-2026-47139 vm2: NodeVM network builtin exclusions bypass via internal _http_client and _http_server

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM supports excluding public network builtins from the wildcard builtin option. With this configuration direct access to http, https, http2, net, dgram, tls, dns, and dns/promises is blocked. However, Node.js also exposes...

8.6CVSS5.3AI score0.00282EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/12 2:15 p.m.28 views

CVE-2026-47139 vm2: NodeVM network builtin exclusions bypass via internal _http_client and _http_server

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM supports excluding public network builtins from the wildcard builtin option. With this configuration direct access to http, https, http2, net, dgram, tls, dns, and dns/promises is blocked. However, Node.js also exposes...

8.6CVSS0.00282EPSS
Exploits0References3
CVE
CVE
added 2026/06/12 2:15 p.m.22 views

CVE-2026-47139

vm2 NodeVM burlon bypass vulnerability exists where public network modules are blocked but internal underscored HTTP builtins (_http_client, _http_server) remain reachable. The issue allows sandboxed code to perform outbound HTTP requests and open listening sockets despite network exclusions, ena...

8.6CVSS5.3AI score0.00282EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/29 6:8 p.m.8 views

Protection Mechanism Failure

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Protection Mechanism Failure through the NodeVM builtin wildcard expansion in lib/builtin.js. An attacker can load Node’s private...

9.3CVSS5.9AI score0.00282EPSS
Exploits0References2
Rows per page
Query Builder