VM/Sandbox Vulnerability in vm2 Affects Node.js Applications
CVE-2026-47135

8.7HIGH

Key Information:

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-47135?

The vm2 library, a popular sandboxing solution for Node.js applications, contains a vulnerability that allows malicious sandbox code to manipulate cross-realm symbols. Prior to version 3.11.4, the setup-sandbox.js file was unable to adequately secure cross-realm operations, exposing host objects to potentially harmful modifications. The existing safeguard only intercepted a portion of the dangerous symbols, enabling an attacker to exploit this weakness through a hijacking chain. This issue was addressed in the 3.11.4 release, which includes critical patches to enhance security and prevent unauthorized host-side control.

Affected Version(s)

vm2 < 3.11.4

References

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.