Bug 2488387 (CVE-2026-47139)
| Summary: | CVE-2026-47139 vm2: vm2: Sandbox escape via internal HTTP built-ins leading to network restriction bypass | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abarbaro, alizardo, dschmidt, erezende, jchui, jhe, jlanda, kshier, ktsao, nboldt, oaljalju, psrna, simaishi, smcdonal, stcannon, teagle, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in vm2, a Node.js sandbox. This vulnerability allows sandboxed code to bypass network restrictions by utilizing internal HTTP built-ins, such as _http_client and _http_server. An attacker can exploit this to make outbound HTTP requests or open listening HTTP sockets, even when public network modules are explicitly denied. This could lead to unauthorized information disclosure or further compromise of the system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-06-12 15:01:54 UTC
|