Detect vm2 Sandbox Escape via JSPI-backed Promise .finally() Species Bypass in IBM QRadar
Detects exploitation of CVE-2026-47210, a critical sandbox escape vulnerability in the npm vm2 library (versions <= 3.11.3). The vulnerability abuses the JavaScript Promise Integration (JSPI) mechanism and the Promise species pattern in .finally() to escape the vm2 sandbox and execute arbitrary code on the host. A public PoC exists and exploitation grants full host access with the privileges of the Node.js process.
MITRE ATT&CK
- Tactic
- Execution Privilege Escalation
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
sourceip,
username,
"Process Name" AS process_name,
"Command" AS command_line,
"Parent Process Name" AS parent_process,
QIDNAME(qid) AS event_name,
logsourcename(logsourceid) AS log_source
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Linux OS', 'Endpoint')
AND (
(LOWER("Command") ILIKE '%vm2%' AND LOWER("Process Name") ILIKE '%node%')
OR (
LOWER("Parent Process Name") ILIKE '%node%'
AND LOWER("Command") ILIKE ANY ('%execsync%', '%spawnsync%', '%child_process%', '%exec(%')
)
)
AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LAST 1000AQL query identifying Node.js processes associated with vm2 or child processes spawned from Node.js using execution-related APIs. Targets both direct vm2 invocations and downstream exploit payloads calling process execution functions.
Data Sources
Required Tables
False Positives & Tuning
- Node.js applications legitimately using vm2 for user script sandboxing in multi-tenant platforms
- Testing harnesses that combine vm2 with execSync for integration test cleanup routines
- Webpack or similar build tools that call child processes as part of normal build pipelines under Node.js
- Server-side rendering frameworks using vm2 for SSR isolation that also manage worker processes
Other platforms for CVE-2026-47210
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1vm2 JSPI Species Bypass — Host Process Execution via Promise.finally
Expected signal: Process creation event: node spawning child process (sh -c 'id > /tmp/vm2_escape_test.txt') or direct execSync call visible in process audit logs. File creation event for /tmp/vm2_escape_test.txt by the node process.
- Test 2vm2 Sandbox Escape — Environment Variable Exfiltration
Expected signal: Node.js process accessing environment variables in a vm2 run context. Application-layer logging may show unexpected JSON serialization of env object. No child process is spawned, so EDR process-tree signals may not fire — rely on vm2 audit logging if enabled.
- Test 3vm2 Version Audit and Vulnerable Instance Discovery
Expected signal: Process creation events for find and node commands reading package.json files. File access events on node_modules directories. No malicious activity — this is a discovery/audit test.
- Test 4vm2 Sandbox Escape on Windows — Host Command Execution via species bypass
Expected signal: Windows Security Event Log (Event ID 4688) showing node.exe creating a child process (cmd.exe or conhost.exe). EDR telemetry showing process tree: node.exe -> cmd.exe with whoami command. File creation event for C:\Temp\vm2_escape.txt.
References (5)
- https://github.com/patriksimek/vm2/security/advisories/GHSA-6j2x-vhqr-qr7q
- https://github.com/patriksimek/vm2/commit/6915fa4d9bcebd47b9a4f39a1adc1aa94ef6ffc6
- https://github.com/patriksimek/vm2/releases/tag/v3.11.4
- https://nvd.nist.gov/vuln/detail/CVE-2026-47210
- https://github.com/advisories/GHSA-6j2x-vhqr-qr7q
Unlock Pro Content
Get the full detection package for CVE-2026-47210 including response playbook, investigation guide, and atomic red team tests.