Detect vm2 Sandbox Escape via JSPI-backed Promise .finally() Species Bypass in CrowdStrike LogScale
Detects exploitation of CVE-2026-47210, a critical sandbox escape vulnerability in the npm vm2 library (versions <= 3.11.3). The vulnerability abuses the JavaScript Promise Integration (JSPI) mechanism and the Promise species pattern in .finally() to escape the vm2 sandbox and execute arbitrary code on the host. A public PoC exists and exploitation grants full host access with the privileges of the Node.js process.
MITRE ATT&CK
- Tactic
- Execution Privilege Escalation
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName=/node(\.exe)?$/i
| CommandLine=/vm2/i OR ParentCommandLine=/vm2/i
| join type=inner
(
#event_simpleName=ProcessRollup2
| ParentImageFileName=/node(\.exe)?$/i
| CommandLine=/(execSync|spawnSync|child_process|exec\()/i
| NOT ImageFileName=/(node|npm|npx)(\.exe)?$/i
| NOT ImageFileName=/^\/usr\/(bin|local\/bin)\//i
| fields ComputerName, ParentProcessId, CommandLine AS ChildCmdLine, ImageFileName AS ChildImage, timestamp AS ChildTime
)
where ComputerName=ComputerName
AND abs(ChildTime - timestamp) <= 300
| eval RiskScore=100
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ChildImage, ChildCmdLine, RiskScore
| sort -RiskScoreCrowdStrike Falcon LogScale (CQL) query joining vm2-referencing Node.js processes with subsequent child process spawns from the same Node.js parent on the same host within 5 minutes, a strong indicator of CVE-2026-47210 exploitation.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Node.js services using vm2 for user code sandboxing that also orchestrate shell commands for data processing
- CI runners on developer machines using vm2 during test suites that invoke shell commands for environment setup
- Container-based Node.js environments where vm2 is used alongside process management scripts
- Security tools that deliberately test vm2 sandbox boundaries as part of authorized vulnerability scanning
Other platforms for CVE-2026-47210
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1vm2 JSPI Species Bypass — Host Process Execution via Promise.finally
Expected signal: Process creation event: node spawning child process (sh -c 'id > /tmp/vm2_escape_test.txt') or direct execSync call visible in process audit logs. File creation event for /tmp/vm2_escape_test.txt by the node process.
- Test 2vm2 Sandbox Escape — Environment Variable Exfiltration
Expected signal: Node.js process accessing environment variables in a vm2 run context. Application-layer logging may show unexpected JSON serialization of env object. No child process is spawned, so EDR process-tree signals may not fire — rely on vm2 audit logging if enabled.
- Test 3vm2 Version Audit and Vulnerable Instance Discovery
Expected signal: Process creation events for find and node commands reading package.json files. File access events on node_modules directories. No malicious activity — this is a discovery/audit test.
- Test 4vm2 Sandbox Escape on Windows — Host Command Execution via species bypass
Expected signal: Windows Security Event Log (Event ID 4688) showing node.exe creating a child process (cmd.exe or conhost.exe). EDR telemetry showing process tree: node.exe -> cmd.exe with whoami command. File creation event for C:\Temp\vm2_escape.txt.
References (5)
- https://github.com/patriksimek/vm2/security/advisories/GHSA-6j2x-vhqr-qr7q
- https://github.com/patriksimek/vm2/commit/6915fa4d9bcebd47b9a4f39a1adc1aa94ef6ffc6
- https://github.com/patriksimek/vm2/releases/tag/v3.11.4
- https://nvd.nist.gov/vuln/detail/CVE-2026-47210
- https://github.com/advisories/GHSA-6j2x-vhqr-qr7q
Unlock Pro Content
Get the full detection package for CVE-2026-47210 including response playbook, investigation guide, and atomic red team tests.