Impact
vm2 is a Node.js sandbox library used to evaluate JavaScript in an isolated context. CVE-2026-47208 / GHSA-76w7-j9cq-rx2j affects vm2 versions up to and including 3.11.3 and can let code already running inside the sandbox escape that boundary with the privileges of the host Node.js process [S1][S2].
Affected dependency evidence
The reviewed GitHub Advisory lists npm package vm2, affected versions <=3.11.3, and patched version 3.11.4 [S1]. NVD tracks the same CVE and CWE-913 classification [S2].
Covered by FixVibe
FixVibe covers this issue in GitHub repository scans with the discovery.npm.vm2-cve-2026-47208 check. The scanner reviews authorized repository dependency files such as package.json, package-lock.json, npm-shrinkwrap.json, yarn.lock, and pnpm-lock.yaml for vm2 versions associated with the advisory.
Findings are reported as version-based advisory evidence. FixVibe does not run the application, execute sandbox-breakout proof-of-concept code, inspect deployed routes or job workers, verify that untrusted code reaches vm2, confirm VM or NodeVM runtime configuration, or claim host command execution from dependency evidence alone.
Fix
Upgrade vm2 to 3.11.4 or a later supported release [S1]. Regenerate the active lockfile, rebuild the deployed Node.js runtime, and verify the active dependency graph no longer resolves an affected version. If vm2 protects tenant scripts, plugins, workflow expressions, AI/tool-generated code, or other untrusted JavaScript, review logs and queued inputs handled before the upgrade and consider rotating credentials available to the Node.js process.
