Description
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js (line 1231) ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy (e.g., when a child object inherits from the proxy via Object.create), the property assignment should create an own property on the receiver, not on the proxy target. The current implementation always calls otherReflectSet(object, key, value) against the host target, causing all inherited property writes to leak through to the host object. This bug provides an alternative attack vector for writing dangerous cross-realm Symbol keys (e.g., nodejs.util.promisify.custom) to host objects, bypassing any future per-trap isDangerousCrossRealmSymbol guard on the direct set path. This issue has been patched in version 3.11.4.
Published: 2026-06-12
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in vm2’s BaseHandler set trap neglects the receiver parameter, causing every property write to target the host object regardless of the actual receiver. This permits an attacker to inject properties—such as dangerous cross‑realm Symbol keys—into host objects from within a sandboxed context, potentially breaking isolation and enabling arbitrary code execution on the host. This flaw represents CWE‑693 (Improper Access Control) and CWE‑915 (Injection of Future Parameters).

Affected Systems

Any installation of vm2 by patriksimek prior to version 3.11.4 is vulnerable. Users deploying vm2 3.11.3 and earlier are exposed.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, but the EPSS score of less than 1% suggests exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. An attacker must be able to run code inside the vm2 sandbox to trigger the flaw, but once inside the context, the set trap can leak writes to the host, bypassing future guard checks. The attack vector is local to the application using vm2, making it a critical risk for any code that executes untrusted input within a vm2 sandbox.

Generated by OpenCVE AI on June 24, 2026 at 09:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vm2 to version 3.11.4 or later to correct the BaseHandler set trap bug.
  • If an immediate upgrade is not feasible, implement a custom set trap that validates the receiver argument and ensures property writes affect only the intended receiver; additionally, block or sanitize dangerous cross‑realm Symbol keys such as nodejs.util.promisify.custom to mitigate CWE‑693 by preventing unauthorized writes.
  • As a short‑term containment measure, run the sandboxed code in a separate container or use Node.js’s vm module with stricter security flags to limit the impact of host object property injection, addressing CWE‑915 by reducing the effect of untrusted reflection.

Generated by OpenCVE AI on June 24, 2026 at 09:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c4cf-2hgv-2qv6 vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain
History

Wed, 24 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
References
Metrics threat_severity

None

threat_severity

Moderate


Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Patriksimek
Patriksimek vm2
Vendors & Products Patriksimek
Patriksimek vm2

Fri, 12 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js (line 1231) ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy (e.g., when a child object inherits from the proxy via Object.create), the property assignment should create an own property on the receiver, not on the proxy target. The current implementation always calls otherReflectSet(object, key, value) against the host target, causing all inherited property writes to leak through to the host object. This bug provides an alternative attack vector for writing dangerous cross-realm Symbol keys (e.g., nodejs.util.promisify.custom) to host objects, bypassing any future per-trap isDangerousCrossRealmSymbol guard on the direct set path. This issue has been patched in version 3.11.4.
Title vm2: Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain
Weaknesses CWE-693
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T15:03:57.071Z

Reserved: 2026-05-18T22:25:21.257Z

Link: CVE-2026-47209

cve-icon Vulnrichment

Updated: 2026-06-12T15:03:50.873Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T15:16:28.900

Modified: 2026-06-12T16:03:15.620

Link: CVE-2026-47209

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-12T14:14:06Z

Links: CVE-2026-47209 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:45:14Z

Weaknesses
  • CWE-693

    Protection Mechanism Failure

  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes