HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47135Published Modified CNA GitHub_M

CVE-2026-47135: vm2: Sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox code can obtain real cross-realm symbols, write them to host objects, and control host-side behavior — verified with a full util.promisify hijack chain. This issue has been patched in version 3.11.4.

Metrics

CVSS v3.1
8.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a sandbox escape vulnerability in vm2, a widely used Node.js sandboxing library. An attacker can send a crafted payload over the network without any authentication, exploiting incomplete symbol interception in the sandbox setup and missing property-trap checks in the bridge layer to obtain real cross-realm JavaScript Symbols and write them to host objects. Successful exploitation gives the attacker full control over host-side behavior, confirmed via a working util.promisify hijack chain that breaks out of the sandbox entirely, enabling arbitrary code execution in the host Node.js process. A patched-image rebuild at version 3.11.4 is available on HarborGuard for environments running an affected version of vm2.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-47135 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI pipelines, including custom-built images that bundle vm2 directly.

Available
Triage

HarborGuard scores this CVE at CVSS 8.7 HIGH (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N) and surfaces it with scope-changed weighting where applicable; per-environment compliance policy rules are applied to route the finding to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild pinned to vm2 3.11.4 is available on HarborGuard for any environment whose scanned images include an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable service must be reachable over the network; an attacker submits a crafted payload to a publicly or internally exposed vm2-backed endpoint.

  • AuthenticationNot required

    No credentials or session token are needed; the exploit works against an unauthenticated vm2 evaluation surface.

  • Victim interactionNot required

    No user action is required; the attacker triggers the vulnerability entirely through their own network request.

  • Attack complexityDetail

    Attack complexity is rated High, meaning the attacker must satisfy specific preconditions around symbol resolution timing and bridge trap invocation order, though a working proof-of-concept chain has already been demonstrated publicly.

Blast Radius

  • The attacker escapes the vm2 sandbox entirely and executes arbitrary code in the host Node.js process.
  • Host-side JavaScript objects are hijacked by overwriting cross-realm Symbol keys, giving the attacker control over built-in utility behavior such as util.promisify callbacks.
  • All data accessible to the host process becomes readable, including environment variables, secrets loaded at runtime, and in-memory application state.
  • The attacker can tamper with host application logic and persisted data through the now-compromised host process, though service availability is not directly impacted by this vector.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47135 is active across all customer scan targets, covering both pulled registry images and images built in customer CI pipelines that include vm2 as a dependency. Where a customer image includes vm2 at a version below 3.11.4, a rebuilt image at the patched version is available. For customers who have opted into auto-remediation, HarborGuard triggers a rebuild, executes a regression run against the updated image, and opens a pull request against affected workloads; for HIGH-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Given that this is a scope-changed, network-reachable sandbox escape with no authentication barrier, customers running vm2 in any multi-tenant or user-input-processing context should treat remediation as urgent. Where immediate patching is not feasible, consider isolating vm2-backed services behind a network policy that restricts inbound access to trusted sources only, and review whether untrusted code evaluation can be temporarily gated via a feature flag until the patched image is deployed.

See how HarborGuard automates this
Affected packages
  • patriksimek / vm2
    < 3.11.4
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
References