Security Flaw in vm2 Open Source Sandbox Affects Node.js
CVE-2026-47209

8.6HIGH

Key Information:

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-47209?

A vulnerability in the vm2 open source sandbox for Node.js allows unintentional writes to the host target object due to improper handling of the receiver parameter in the BaseHandler.set trap. This oversight can lead to property assignments that bypass intended security mechanisms, giving an attacker an additional vector to manipulate dangerous cross-realm Symbol keys. This flaw has been resolved in version 3.11.4, emphasizing the importance of keeping software up to date to mitigate potential security risks.

Affected Version(s)

vm2 < 3.11.4

References

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.