Description
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox code can obtain real cross-realm symbols, write them to host objects, and control host-side behavior — verified with a full util.promisify hijack chain. This issue has been patched in version 3.11.4.
Published: 2026-06-12
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the vm2 Node.js sandbox allows attackers to escape the isolated environment by utilizing unblocked cross-realm Symbol.for keys and missing bridge write-trap symbol checks. This flaw enables the sandboxed code to retrieve genuine cross-realm symbols, write them to host objects, and thereby control host-side behavior, leading to full remote code execution. The weakness corresponds to missing integrity checks for privileged operations, as reflected in CWE‑693.

Affected Systems

The issue affects the patriksimek vm2 sandbox library for Node.js. Any installation of vm2 prior to version 3.11.4 is vulnerable. Versions 3.11.4 and later contain the fix.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability, while the EPSS score of less than 1 % suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would need the ability to execute untrusted code within a vm2 sandbox; from that point, they can leverage the escape to modify host-side objects and APIs. Based on the description, it is inferred that the attack would originate from code running inside the sandbox and involves triggering property traps that lack proper symbol checks.

Generated by OpenCVE AI on June 12, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vm2 to version 3.11.4 or later to apply the vendor patch.
  • If an update is not immediately feasible, restrict the usage of vm2 to trusted code only, avoid executing untrusted input in the sandbox, and consider disabling the Symbol.for override in setup‑sandbox.js.
  • Implement monitoring to detect unexpected writes to host objects or host‑side API calls originating from sandboxed code, and enforce strict isolation policies.

Generated by OpenCVE AI on June 12, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m5q2-4fm3-vfqp vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks
History

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Patriksimek
Patriksimek vm2
Vendors & Products Patriksimek
Patriksimek vm2

Fri, 12 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox code can obtain real cross-realm symbols, write them to host objects, and control host-side behavior — verified with a full util.promisify hijack chain. This issue has been patched in version 3.11.4.
Title vm2: Sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks
Weaknesses CWE-693
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Patriksimek Vm2
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T15:07:56.706Z

Reserved: 2026-05-18T19:50:18.695Z

Link: CVE-2026-47135

cve-icon Vulnrichment

Updated: 2026-06-12T15:07:53.488Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T15:16:28.007

Modified: 2026-06-12T16:03:15.620

Link: CVE-2026-47135

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T15:30:31Z

Weaknesses
  • CWE-693

    Protection Mechanism Failure