Description
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js (line 1231) ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy (e.g., when a child object inherits from the proxy via Object.create), the property assignment should create an own property on the receiver, not on the proxy target. The current implementation always calls otherReflectSet(object, key, value) against the host target, causing all inherited property writes to leak through to the host object. This bug provides an alternative attack vector for writing dangerous cross-realm Symbol keys (e.g., nodejs.util.promisify.custom) to host objects, bypassing any future per-trap isDangerousCrossRealmSymbol guard on the direct set path. This issue has been patched in version 3.11.4.
Published: 2026-06-12
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in vm2’s BaseHandler set trap neglects the receiver parameter, causing every property write to target the host object regardless of the actual receiver. This permits an attacker to inject properties—such as dangerous cross‑realm Symbol keys—into host objects from within a sandboxed context, potentially breaking isolation and enabling arbitrary code execution on the host.

Affected Systems

Any installation of vm2 by patriksimek prior to version 3.11.4 is vulnerable. Users deploying vm2 3.11.3 and earlier are exposed.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, but the EPSS score of less than 1% suggests exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. An attacker must be able to run code inside the vm2 sandbox to trigger the flaw, but once inside the context, the set trap can leak writes to the host, bypassing future guard checks. The attack vector is local to the application using vm2, making it a critical risk for any code that executes untrusted input within a vm2 sandbox.

Generated by OpenCVE AI on June 12, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vm2 to version 3.11.4 or later.
  • If an immediate upgrade is not feasible, deploy the sandboxed code in a stricter runtime isolation, such as a separate container or with hardened Node.js VM settings, to limit the impact of any host object property injection.
  • If upgrading is impossible, apply a whitelist filter that blocks dangerous cross‑realm Symbol keys (for example, nodejs.util.promisify.custom) by configuring vm2’s sandbox options or adding pre‑execution validation to reject such assignments.

Generated by OpenCVE AI on June 12, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c4cf-2hgv-2qv6 vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain
History

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Patriksimek
Patriksimek vm2
Vendors & Products Patriksimek
Patriksimek vm2

Fri, 12 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js (line 1231) ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy (e.g., when a child object inherits from the proxy via Object.create), the property assignment should create an own property on the receiver, not on the proxy target. The current implementation always calls otherReflectSet(object, key, value) against the host target, causing all inherited property writes to leak through to the host object. This bug provides an alternative attack vector for writing dangerous cross-realm Symbol keys (e.g., nodejs.util.promisify.custom) to host objects, bypassing any future per-trap isDangerousCrossRealmSymbol guard on the direct set path. This issue has been patched in version 3.11.4.
Title vm2: Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain
Weaknesses CWE-693
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N'}

Subscriptions

Patriksimek Vm2
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T15:03:57.071Z

Reserved: 2026-05-18T22:25:21.257Z

Link: CVE-2026-47209

cve-icon Vulnrichment

Updated: 2026-06-12T15:03:50.873Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T15:16:28.900

Modified: 2026-06-12T16:03:15.620

Link: CVE-2026-47209

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T16:30:14Z

Weaknesses
  • CWE-693

    Protection Mechanism Failure