CVE-2026-47135
HighCVSS 8.7Exploitation Probability (EPSS)
Low risk22th percentile - higher than 22% of all known CVEs
Summary
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols, allowing for the acquisition of real cross-realm symbols and control over host-side behavior.
Risk Assessment
Organizations may be exposed to attacks that exploit security vulnerabilities, allowing malicious code to manipulate host objects and their behavior.
Recommendation
It is recommended to upgrade to version 3.11.4 or later to patch this vulnerability.
Original NVD description (English source)
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox code can obtain real cross-realm symbols, write them to host objects, and control host-side behavior — verified with a full util.promisify hijack chain. This issue has been patched in version 3.11.4.

