Compliance Impact

CVE-2026-47135 is a high-severity sandbox escape vulnerability in the vm2 library that allows sandboxed code to manipulate host-side behavior by exploiting unblocked cross-realm symbols. This can lead to semantic confusion, data integrity issues, and defense bypasses.

While the vulnerability does not directly enable remote code execution, the ability to control host-side behavior and manipulate internal Node.js symbols could potentially lead to unauthorized data access or modification.

Such unauthorized access or manipulation could impact compliance with standards and regulations like GDPR or HIPAA, which require protection of data integrity, confidentiality, and prevention of unauthorized access.

Therefore, failure to patch this vulnerability could increase the risk of non-compliance due to potential data breaches or unauthorized control over sensitive operations within applications using vm2.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-47135 is a high-severity vulnerability in the vm2 sandbox library for Node.js, present in versions prior to 3.11.4. The issue arises because the sandbox's override of Symbol.for only intercepts 2 out of 9 dangerous Node.js cross-realm symbols, allowing sandboxed code to access real cross-realm symbols. Additionally, the bridge's write traps (set, defineProperty, deleteProperty) lack checks for dangerous symbols, enabling sandbox code to write these symbols to host objects and manipulate host-side behavior.

This vulnerability allows attackers to hijack internal Node.js mechanisms such as util.promisify and manipulate stream branding, leading to sandbox escape and control over host behavior. The root cause is incomplete filtering of dangerous symbols and missing validation in the bridge's write traps.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to sandbox escape, allowing malicious sandboxed code to manipulate host-side Node.js internals. Specifically, attackers can hijack important functions like util.promisify, alter stream branding, and perform unauthorized actions on host objects.

The impact includes semantic confusion, data integrity issues, and bypassing security defenses within the host environment. Although it does not directly enable remote code execution, it can be used as a stepping stone for further attacks or to compromise the integrity and behavior of the host application.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if the vm2 library version in use is prior to 3.11.4, as these versions contain the sandbox escape issue.

Specifically, you can check the installed vm2 version in your Node.js environment by running the command:

• npm list vm2

If the version is earlier than 3.11.4, your system is vulnerable.

Additionally, monitoring for suspicious sandbox behavior such as unexpected access to Node.js internal symbols (e.g., util.promisify hijack attempts) or unusual host object modifications could indicate exploitation attempts, but no specific detection commands are provided in the resources.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the vm2 library to version 3.11.4 or later, where the vulnerability has been fully patched.

This update includes comprehensive fixes such as blocking the entire nodejs.* Symbol.for namespace, adding checks for all nine dangerous cross-realm symbols in the bridge's write traps, and synchronizing dangerous symbol filters to prevent sandbox escape.

Additionally, reviewing and hardening NodeVM configurations by explicitly specifying require objects and avoiding nesting-based bypasses is recommended to prevent related security issues.

Consult the updated documentation and release notes for further hardening measures.

Useful 0 Not Useful 0