Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-47135

CVE-2026-47135: vm2 Node.js Sandbox RCE Vulnerability

CVE-2026-47135 is a remote code execution flaw in vm2 sandbox for Node.js that allows attackers to bypass sandbox protections via cross-realm symbols. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-47135 Overview

CVE-2026-47135 is a sandbox escape vulnerability in vm2, an open source virtual machine and sandbox library for Node.js. Versions prior to 3.11.4 contain an incomplete Symbol.for override in setup-sandbox.js that intercepts only 2 of 9 dangerous Node.js cross-realm symbols. The bridge's set, defineProperty, and deleteProperty traps lack an isDangerousCrossRealmSymbol key check, allowing sandbox code to obtain real cross-realm symbols. An attacker can write these symbols to host objects and control host-side behavior, demonstrated through a full util.promisify hijack chain. The maintainers patched the issue in version 3.11.4.

Critical Impact

Untrusted code executed inside a vm2 sandbox can escape isolation, manipulate host objects, and execute arbitrary code in the Node.js host process.

Affected Products

  • vm2 Node.js sandbox library, all versions prior to 3.11.4
  • Node.js applications embedding vm2 for untrusted code execution
  • Downstream packages depending on vulnerable vm2 releases

Discovery Timeline

  • 2026-06-12 - CVE-2026-47135 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-47135

Vulnerability Analysis

The vulnerability is classified as a Protection Mechanism Failure ([CWE-693]) resulting in sandbox escape. vm2 isolates untrusted code using a proxy-based bridge between the sandbox realm and the host realm. The bridge intercepts symbol-based property access to prevent sandboxed code from referencing host-side internal symbols. The override in setup-sandbox.js enumerates only two of nine cross-realm symbols flagged as dangerous, leaving seven exploitable paths exposed to sandboxed code.

Once sandboxed code obtains a real cross-realm symbol, it can write properties keyed by that symbol onto host objects through the bridge. The bridge's set, defineProperty, and deleteProperty traps do not call the isDangerousCrossRealmSymbol check before forwarding the operation. This allows the sandbox to overwrite internal slots used by host APIs. The published proof-of-concept hijacks util.promisify to coerce the host into executing attacker-controlled functions outside the sandbox.

Root Cause

The root cause is an incomplete blocklist combined with missing key validation in proxy traps. The Symbol.for interceptor enumerates a subset of dangerous symbols. The mutation traps on the bridge proxy never consult the blocklist at all. Both gaps must be closed to restore the intended isolation boundary.

Attack Vector

Exploitation requires the ability to submit JavaScript for execution inside a vm2 sandbox. This commonly occurs in serverless function platforms, low-code engines, plugin runtimes, and online code evaluators. The attack runs entirely within the sandbox script and produces host-side code execution without privileged credentials. See the GitHub Security Advisory GHSA-m5q2-4fm3-vfqp for the full exploitation chain.

Detection Methods for CVE-2026-47135

Indicators of Compromise

  • Sandboxed scripts referencing Symbol.for with arguments matching Node.js internal symbol names such as nodejs.util.promisify.custom.
  • Unexpected child process spawns, network connections, or filesystem writes originating from the Node.js process that hosts vm2.
  • Modifications to host objects shared with the sandbox immediately following untrusted code submission.

Detection Strategies

  • Inventory package-lock.json and yarn.lock files across repositories and build artifacts for vm2 versions below 3.11.4.
  • Instrument the Node.js host with process telemetry to flag execution of shells, network tools, or file utilities spawned from the embedding process.
  • Review application logs for sandbox errors referencing cross-realm symbols or proxy trap failures.

Monitoring Recommendations

  • Forward Node.js process and child-process telemetry to a centralized analytics platform for correlation with sandbox submission events.
  • Alert on outbound connections initiated by services that should only execute user-supplied code in isolation.
  • Track Software Composition Analysis (SCA) findings for vm2 and block builds that resolve to versions below 3.11.4.

How to Mitigate CVE-2026-47135

Immediate Actions Required

  • Upgrade vm2 to version 3.11.4 or later in all production, staging, and development environments.
  • Audit application code paths that accept user-supplied JavaScript and temporarily disable them until the patch is deployed.
  • Rotate secrets accessible to the Node.js host process if untrusted code execution cannot be ruled out.

Patch Information

The maintainers released the fix in GitHub Release v3.11.4. The corrective change is documented in the GitHub Commit Update, which expands the dangerous cross-realm symbol set and adds key validation to the bridge's mutation traps. Note that the vm2 project has publicly stated it is no longer actively maintained, so operators should plan migration to an actively supported sandbox alternative.

Workarounds

  • Migrate workloads from vm2 to isolated execution environments such as separate processes, containers, or V8 isolates with strict resource limits.
  • Apply operating system level isolation such as seccomp, AppArmor, or gVisor around any Node.js process executing untrusted scripts.
  • Restrict the host API surface exposed to sandboxed code and avoid sharing mutable host objects with the sandbox.
bash
# Upgrade vm2 to the patched release
npm install vm2@3.11.4 --save
npm ls vm2

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne