CVE-2026-47209
Deferred Deferred - Pending Action
Prototype Pollution in vm2 Sandbox via Proxy set Trap

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js (line 1231) ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy (e.g., when a child object inherits from the proxy via Object.create), the property assignment should create an own property on the receiver, not on the proxy target. The current implementation always calls otherReflectSet(object, key, value) against the host target, causing all inherited property writes to leak through to the host object. This bug provides an alternative attack vector for writing dangerous cross-realm Symbol keys (e.g., nodejs.util.promisify.custom) to host objects, bypassing any future per-trap isDangerousCrossRealmSymbol guard on the direct set path. This issue has been patched in version 3.11.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-47209
EUVD
EUVD-2026-36440
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
patriksimek vm2 to 3.11.4 (exc)
patriksimek vm2 3.11.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in vm2 involves the BaseHandler.set trap in bridge.js ignoring the receiver parameter as specified by the ECMA-262 Proxy set trap specification. Instead of creating an own property on the receiver when it differs from the proxy, the implementation always writes directly to the host target object.

This flaw allows sandboxed code to write properties to host objects through inherited proxies or forged receivers, effectively turning exposed host objects into write channels. Attackers can exploit this to inject dangerous cross-realm Symbol keys, such as nodejs.util.promisify.custom, bypassing security guards and enabling arbitrary code execution.

The issue was fixed in version 3.11.4 by properly handling the receiver parameter and adding checks for dangerous Symbol keys.

Impact Analysis

This vulnerability can allow attackers to manipulate host-side behavior by injecting arbitrary properties into host objects from sandboxed code. This can lead to execution of arbitrary code or hijacking of important internal functions, such as those linked to nodejs.util.promisify.custom.

Because exploitation requires no privileges and no user interaction, it poses a significant security risk, potentially compromising the integrity of applications using the vulnerable vm2 versions.

Detection Guidance

This vulnerability involves the vm2 library's BaseHandler.set trap ignoring the receiver parameter, allowing sandboxed code to write properties to host objects improperly.

To detect this vulnerability on your system, you can check the version of the vm2 library in use. Versions prior to 3.11.4 are vulnerable.

There are no specific network detection commands provided in the resources, but you can run the following command in your project directory to check the installed vm2 version:

  • npm list vm2

If the version is less than 3.11.4, your system is vulnerable.

Additionally, you can audit your codebase for usage of vm2 and inspect if any untrusted sandboxed code is able to write properties to host objects via proxies or inherited objects, especially looking for suspicious writes involving Symbol keys like nodejs.util.promisify.custom.

Mitigation Strategies

The primary mitigation step is to upgrade the vm2 library to version 3.11.4 or later, where the vulnerability has been patched.

This update properly handles the receiver parameter in the BaseHandler.set trap and adds additional checks to prevent dangerous Symbol-keyed property writes.

If upgrading immediately is not possible, consider restricting or auditing the use of sandboxed code that relies on vm2 to prevent exploitation.

Compliance Impact

The vulnerability in vm2 allows sandboxed code to write arbitrary properties, including dangerous Symbol-keyed properties, to host objects. This can lead to unauthorized manipulation of host-side behavior and potentially arbitrary code execution.

Such unauthorized access and control over host objects could result in breaches of data integrity and security, which are critical aspects of compliance with standards like GDPR and HIPAA.

If exploited in environments handling sensitive personal or health data, this vulnerability could lead to violations of confidentiality and integrity requirements mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47209. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart