CVE Catalog

CVE-2026-47135

HighCVSS 8.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.07%

22th percentile - higher than 22% of all known CVEs

Summary

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols, allowing for the acquisition of real cross-realm symbols and control over host-side behavior.

Risk Assessment

Organizations may be exposed to attacks that exploit security vulnerabilities, allowing malicious code to manipulate host objects and their behavior.

Recommendation

It is recommended to upgrade to version 3.11.4 or later to patch this vulnerability.

Original NVD description (English source)

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox code can obtain real cross-realm symbols, write them to host objects, and control host-side behavior — verified with a full util.promisify hijack chain. This issue has been patched in version 3.11.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS