# [CRIT] [GHSA / CRITICAL] CVE-2026-47131: vm2 has a Sandbox Escape issue **Source:** GitHub Security Advisories **Published:** 2026-05-29 **Article:** https://github.com/advisories/GHSA-v6mx-mf47-r5wg ## Threat Profile vm2 has a Sandbox Escape issue ### Summary By combining `Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__")`, `Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__")`, and Node.js's `ERR_INVALID_ARG_TYPE` Error, the host's `TypeError` constructor can be obtained, which allows the escape from the sandbox. This allows attackers to run arbitrary code. ### PoC ```js "use strict"; const { VM } = require("vm2"); const vm = new VM(); vm.run(` "use strict"; const getProto = Buffer.c… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-47131` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1059.007** — Command and Scripting Interpreter: JavaScript - **T1059** — Command and Scripting Interpreter - **T1068** — Exploitation for Privilege Escalation ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### vm2 sandbox-escape PoC strings observed in inbound HTTP request body / WAF `UC_177_2` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web.Web where (Web.url="*__lookupGetter__*" OR Web.url="*__lookupSetter__*" OR Web.url="*compileStreaming*" OR Web.url="*Buffer.call.call*" OR Web.url="*mainModule.require*" OR Web.http_user_agent="*constructor.constructor*") by Web.src Web.dest Web.url Web.http_method Web.status | `drop_dm_object_name(Web)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql // Defender has no inbound HTTP-body table; pivot via DeviceNetworkEvents to Node processes that received the payload then look at child shells DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName =~ "node.exe" | where FileName in~ ("cmd.exe","powershell.exe","pwsh.exe","bash.exe","sh.exe","wmic.exe","mshta.exe") | where ProcessCommandLine has_any ("echo pwned","child_process","execSync") | project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InitiatingProcessParentFileName | order by Timestamp desc ``` ### Node.exe spawning OS shell after vm2 sandbox exploitation `UC_177_3` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="node.exe" Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","bash.exe","sh.exe","wmic.exe","mshta.exe") (Processes.process="*echo pwned*" OR Processes.process="*child_process*" OR Processes.process="*execSync*" OR Processes.process="*mainModule.require*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName =~ "node.exe" | where FileName in~ ("cmd.exe","powershell.exe","pwsh.exe","bash.exe","sh.exe","wmic.exe","mshta.exe","conhost.exe") | where ProcessCommandLine has_any ("echo pwned","child_process","execSync","mainModule.require") or InitiatingProcessCommandLine has_any ("vm2","NodeVM","new VM(") | project Timestamp, DeviceName, AccountName, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine, ChildImage = FolderPath, ChildCmd = ProcessCommandLine, InitiatingProcessParentFileName, SHA256 | order by Timestamp desc ``` ### Vulnerable vm2 package (<=3.11.3) present in Defender software inventory `UC_177_4` · phase: **weapon** · confidence: **Medium** · AI-generated for this article **Defender KQL:** ```kql union isfuzzy=true ( DeviceTvmSoftwareVulnerabilities | where CveId == "CVE-2026-47131" | project Timestamp, DeviceId, DeviceName, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion, VulnerabilitySeverityLevel, RecommendedSecurityUpdate ), ( DeviceTvmSoftwareInventory | where SoftwareName has "vm2" and SoftwareVendor has_any ("npm","node","nodejs","openjs") | where SoftwareVersion matches regex @"^([0-2]\.|3\.([0-9]|10|11)(\.[0-3])?$)" | project Timestamp, DeviceId, DeviceName, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion ) | order by DeviceName asc ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47131: vm2 has a Sandbox Escape issue `UC_177_1` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-47131: vm2 has a Sandbox Escape issue ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("node.js")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_name IN ("node.js")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-47131: vm2 has a Sandbox Escape issue // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("node.js")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FileName in~ ("node.js")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-47131` ## Why this matters Severity classified as **CRIT** based on: CVE present, 5 use case(s) fired, 5 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.