CVE Vulnerabilities

CVE-2026-47140

Protection Mechanism Failure

Published: Jun 12, 2026 | Modified: Jun 17, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
4.1 MODERATE
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
Ubuntu
root.io logo minimus.io logo echo.ai logo

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.

Weakness

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Affected Software

NameVendorStart VersionEnd Version
Red Hat Developer Hub 1.10RedHatrhdh/rhdh-hub-rhel9:1783448184*
Red Hat Developer Hub 1.9RedHatrhdh/rhdh-hub-rhel9:1782761244*

References