High

Sandbox escape in vm2 via dangerous cross-realm symbols

IdentifiersCVE-2026-47135CWE-693· Protection Mechanism Failure

CVE-2026-47135 is a sandbox escape vulnerability in vm2, the Node.js vm/sandbox library. In versions prior to 3.11.4, vm2's Symbol.for override in setup-sandbox.js intercepts only 2 of 9 dangerous Node.js cross-realm symbols. In addition, the bridge layer's set, defineProperty, and deleteProperty traps do not enforce an isDangerousCrossRealmSymbol check on symbol keys. This incomplete filtering allows attacker-controlled sandbox code to obtain real cross-realm symbols and write, define, or delete symbol-keyed properties on host objects exposed to the sandbox. The issue was reportedly validated with a full util.promisify hijack chain, demonstrating that sandboxed code can influence host-side behavior by manipulating Node.js symbol-driven semantics.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows untrusted sandboxed code to break vm2's intended isolation boundaries and influence behavior in the host realm. An attacker can obtain dangerous cross-realm symbols and apply them to host objects, enabling semantic confusion, host control-flow manipulation, integrity violations, and potential bypass of security assumptions in code that relies on Node.js symbol-keyed behavior, including util.promisify and stream/WebStream-related semantics. The provided advisory states this is not a direct remote code execution issue, and the cited CVSS indicates high confidentiality and integrity impact with no stated availability impact.

Mitigation

If you can’t patch tonight, do this now.

Until the fixed version can be deployed, avoid exposing mutable or non-frozen host objects to untrusted vm2 sandboxes, particularly functions, streams, and other objects whose behavior depends on Node.js symbol-keyed properties. As an interim code-level mitigation, block all dangerous nodejs.* Symbol.for keys in setup-sandbox, add isDangerousCrossRealmSymbol checks to bridge write traps, and extend symbol filtering consistently across helper overrides handling cross-realm symbol access.

Remediation

Patch, then assume compromise.

Upgrade vm2 to version 3.11.4 or later. The patch addresses the issue by correcting symbol handling so that all dangerous nodejs.* cross-realm symbols are blocked consistently and by ensuring bridge write traps reject dangerous cross-realm symbol keys. If maintaining a fork or applying a custom fix, synchronize symbol filtering logic across setup-sandbox and related helper code, and add dangerous cross-realm symbol validation to the set, defineProperty, and deleteProperty traps.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

cvefeed high severityNews

Jun 12, 2026

CVE-2026-47135 - vm2: Sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks

A vm2 sandbox escape / host behavior control vulnerability in Node.js environments caused by incomplete interception of dangerous cross-realm symbols and missing safety checks in bridge property traps.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-47135

NVD

nvd.nist.gov/vuln/detail/CVE-2026-47135

MITRE CWE · CWE-693

Protection Mechanism Failure

github.com

github.com/patriksimek/vm2/commit/928aef51898b5c52a05f05a40c4cfeb52e172878

github.com

github.com/patriksimek/vm2/releases/tag/v3.11.4

github.com

github.com/patriksimek/vm2/security/advisories/GHSA-m5q2-4fm3-vfqp