CVE-2026-47135 HIGH

CVE-2026-47135: vm2: Sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks

Vendor Patriksimek
Product vm2
Weakness CWE-693
Published June 12, 2026
Last update June 13, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox code can obtain real cross-realm symbols, write them to host objects, and control host-side behavior — verified with a full util.promisify hijack chain. This issue has been patched in version 3.11.4.

Key dates

02Disclosure timeline

June 12, 2026 CVE published
June 13, 2026 Record updated