HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47209Published Modified CNA GitHub_M

CVE-2026-47209: vm2: Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js (line 1231) ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy (e.g., when a child object inherits from the proxy via Object.create), the property assignment should create an own property on the receiver, not on the proxy target. The current implementation always calls otherReflectSet(object, key, value) against the host target, causing all inherited property writes to leak through to the host object. This bug provides an alternative attack vector for writing dangerous cross-realm Symbol keys (e.g., nodejs.util.promisify.custom) to host objects, bypassing any future per-trap isDangerousCrossRealmSymbol guard on the direct set path. This issue has been patched in version 3.11.4.

Metrics

CVSS v3.1
8.6
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An integrity bypass vulnerability exists in the vm2 sandbox library for Node.js, caused by the BaseHandler.set Proxy trap incorrectly ignoring the receiver parameter when writing properties. The flaw is reachable over the network without authentication, as any application exposing vm2 sandbox execution to remote input is affected. Successful exploitation allows an attacker to inject properties (including dangerous cross-realm Symbol keys) onto host objects outside the sandbox, breaking the isolation boundary and enabling tampered host-object behavior. A patched-image rebuild at version 3.11.4 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle vm2 as a direct or transitive dependency. Any image carrying a vm2 version below 3.11.4 is flagged immediately upon the next pipeline scan or registry push.

Available
Triage

HarborGuard scores this finding at CVSS 8.6 HIGH (CVSSv3.1) and weights it further against each environment's configured compliance policy, escalating findings in scopes designated as internet-facing or untrusted-input-processing. Routed alerts reach the correct team inbox within each customer org based on image ownership and policy assignment.

Available
Patch

A patched-image rebuild at vm2 3.11.4 becomes available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the target service over the network; any application that accepts remote input and passes it into a vm2 sandbox is exposed.

  • AuthenticationNot required

    No credentials or account are needed; the vulnerability is exploitable by any unauthenticated caller who can submit input to the sandboxed execution path.

  • Victim interactionNot required

    No user action is required; exploitation is fully attacker-driven without any social-engineering step.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no race conditions, specific memory layout, or other environmental preconditions.

Blast Radius

  • Writes arbitrary properties onto host objects outside the vm2 sandbox, breaking the isolation boundary that prevents guest code from influencing the host Node.js process.
  • Injects dangerous cross-realm Symbol keys (such as nodejs.util.promisify.custom) onto host objects, allowing an attacker to alter the behavior of built-in Node.js utilities in the host context.
  • Bypasses any per-trap isDangerousCrossRealmSymbol guard on the direct set path, undermining future or existing defensive mitigations within vm2 itself.
  • Does not directly expose stored data or crash the service, but tampered host-object state can chain into further exploitation of the host process.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across all scanning pipelines, matching images that include vm2 below 3.11.4. Because a fix exists at version 3.11.4, a patched-image rebuild is available for any affected image identified in a customer registry or CI pipeline. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes regression tests, and opens a pull request against the affected workload; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding appears in the HarborGuard dashboard with remediation guidance pointing to the 3.11.4 upgrade. Given that this vulnerability has a Scope:Changed rating and requires no authentication, prioritizing it in internet-facing or multi-tenant Node.js environments running vm2-backed sandboxes is strongly advised.

See how HarborGuard automates this
Affected packages
  • patriksimek / vm2
    < 3.11.4
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
References