Security Flaw in vm2 Open Source Sandbox Affects Node.js
CVE-2026-47209
8.6HIGH
What is CVE-2026-47209?
A vulnerability in the vm2 open source sandbox for Node.js allows unintentional writes to the host target object due to improper handling of the receiver parameter in the BaseHandler.set trap. This oversight can lead to property assignments that bypass intended security mechanisms, giving an attacker an additional vector to manipulate dangerous cross-realm Symbol keys. This flaw has been resolved in version 3.11.4, emphasizing the importance of keeping software up to date to mitigate potential security risks.
Affected Version(s)
vm2 < 3.11.4
