VM/Sandbox Vulnerability in vm2 Affects Node.js Applications
CVE-2026-47135
8.7HIGH
What is CVE-2026-47135?
The vm2 library, a popular sandboxing solution for Node.js applications, contains a vulnerability that allows malicious sandbox code to manipulate cross-realm symbols. Prior to version 3.11.4, the setup-sandbox.js file was unable to adequately secure cross-realm operations, exposing host objects to potentially harmful modifications. The existing safeguard only intercepted a portion of the dangerous symbols, enabling an attacker to exploit this weakness through a hijacking chain. This issue was addressed in the 3.11.4 release, which includes critical patches to enhance security and prevent unauthorized host-side control.
Affected Version(s)
vm2 < 3.11.4
