Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-47209

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-12 Jun, 2026 | 14:14
Updated At-12 Jun, 2026 | 15:03
Rejected At-
Credits

vm2: Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js (line 1231) ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy (e.g., when a child object inherits from the proxy via Object.create), the property assignment should create an own property on the receiver, not on the proxy target. The current implementation always calls otherReflectSet(object, key, value) against the host target, causing all inherited property writes to leak through to the host object. This bug provides an alternative attack vector for writing dangerous cross-realm Symbol keys (e.g., nodejs.util.promisify.custom) to host objects, bypassing any future per-trap isDangerousCrossRealmSymbol guard on the direct set path. This issue has been patched in version 3.11.4.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:12 Jun, 2026 | 14:14
Updated At:12 Jun, 2026 | 15:03
Rejected At:
▼CVE Numbering Authority (CNA)
vm2: Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js (line 1231) ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy (e.g., when a child object inherits from the proxy via Object.create), the property assignment should create an own property on the receiver, not on the proxy target. The current implementation always calls otherReflectSet(object, key, value) against the host target, causing all inherited property writes to leak through to the host object. This bug provides an alternative attack vector for writing dangerous cross-realm Symbol keys (e.g., nodejs.util.promisify.custom) to host objects, bypassing any future per-trap isDangerousCrossRealmSymbol guard on the direct set path. This issue has been patched in version 3.11.4.

Affected Products
Vendor
patriksimek
Product
vm2
Versions
Affected
  • < 3.11.4
Problem Types
TypeCWE IDDescription
CWECWE-693CWE-693: Protection Mechanism Failure
Type: CWE
CWE ID: CWE-693
Description: CWE-693: Protection Mechanism Failure
Metrics
VersionBase scoreBase severityVector
3.18.6HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Version: 3.1
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/patriksimek/vm2/security/advisories/GHSA-c4cf-2hgv-2qv6
x_refsource_CONFIRM
https://github.com/patriksimek/vm2/commit/26d0318b5e6555be4b187ba05d6cf378ccecfe22
x_refsource_MISC
https://github.com/patriksimek/vm2/releases/tag/v3.11.4
x_refsource_MISC
Hyperlink: https://github.com/patriksimek/vm2/security/advisories/GHSA-c4cf-2hgv-2qv6
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/patriksimek/vm2/commit/26d0318b5e6555be4b187ba05d6cf378ccecfe22
Resource:
x_refsource_MISC
Hyperlink: https://github.com/patriksimek/vm2/releases/tag/v3.11.4
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:12 Jun, 2026 | 15:16
Updated At:12 Jun, 2026 | 16:03

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js (line 1231) ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy (e.g., when a child object inherits from the proxy via Object.create), the property assignment should create an own property on the receiver, not on the proxy target. The current implementation always calls otherReflectSet(object, key, value) against the host target, causing all inherited property writes to leak through to the host object. This bug provides an alternative attack vector for writing dangerous cross-realm Symbol keys (e.g., nodejs.util.promisify.custom) to host objects, bypassing any future per-trap isDangerousCrossRealmSymbol guard on the direct set path. This issue has been patched in version 3.11.4.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.6HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-693Primarysecurity-advisories@github.com
CWE ID: CWE-693
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/patriksimek/vm2/commit/26d0318b5e6555be4b187ba05d6cf378ccecfe22security-advisories@github.com
N/A
https://github.com/patriksimek/vm2/releases/tag/v3.11.4security-advisories@github.com
N/A
https://github.com/patriksimek/vm2/security/advisories/GHSA-c4cf-2hgv-2qv6security-advisories@github.com
N/A
Hyperlink: https://github.com/patriksimek/vm2/commit/26d0318b5e6555be4b187ba05d6cf378ccecfe22
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/patriksimek/vm2/releases/tag/v3.11.4
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/patriksimek/vm2/security/advisories/GHSA-c4cf-2hgv-2qv6
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

12Records found
CVE-2026-47135
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-Not Assigned
Published-12 Jun, 2026 | 14:14
Updated-12 Jun, 2026 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vm2: Sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox code can obtain real cross-realm symbols, write them to host objects, and control host-side behavior — verified with a full util.promisify hijack chain. This issue has been patched in version 3.11.4.

Action-Not Available
Vendor-patriksimek
Product-vm2
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2026-47139
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-Not Assigned
Published-12 Jun, 2026 | 14:15
Updated-12 Jun, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vm2: NodeVM network builtin exclusions bypass via internal _http_client and _http_server

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM supports excluding public network builtins from the wildcard builtin option. With this configuration direct access to http, https, http2, net, dgram, tls, dns, and dns/promises is blocked. However, Node.js also exposes underscored internal HTTP builtins such as _http_client and _http_server. These are not blocked when the public modules are excluded. Sandboxed code can use these internal builtins to make outbound HTTP requests and open listening HTTP sockets even though the public network modules are denied. This issue has been patched in version 3.11.4.

Action-Not Available
Vendor-patriksimek
Product-vm2
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2026-47140
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-Not Assigned
Published-12 Jun, 2026 | 14:16
Updated-12 Jun, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vm2: NodeVM builtin denylist bypass via process and inspector/promises allows host code execution

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.

Action-Not Available
Vendor-patriksimek
Product-vm2
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2026-44000
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 14.89%
||
7 Day CHG~0.00%
Published-13 May, 2026 | 17:23
Updated-13 May, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vm2: sandbox boundary bypass via host Promise resolution preserving host object identity

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox boundary violation in vm2 allows host object identity to cross into the sandbox through host Promise resolution. When a host-side Promise that resolves to a host object is exposed to the sandbox, the value delivered to the sandbox .then() callback preserves host identity. This allows the sandbox to interact with the host object directly, including performing identity checks using host-side WeakMap and mutating host object state from inside the sandbox. This behavior occurs because the Promise fulfillment wrapper uses ensureThis() instead of the stronger cross-realm conversion path (from() / proxy wrapping). If no prototype mapping is found, ensureThis() returns the original object. As a result, objects resolved by host Promises can cross the sandbox boundary without proper isolation. This vulnerability is fixed in 3.11.0.

Action-Not Available
Vendor-patriksimek
Product-vm2
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2026-44003
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 15.74%
||
7 Day CHG~0.00%
Published-13 May, 2026 | 17:30
Updated-13 May, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vm2: Transformer Fast-Path Bypass Exposes Internal State Variable

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL variable, which exposes internal security functions (handleException, wrapWith, import). This vulnerability is fixed in 3.11.0.

Action-Not Available
Vendor-patriksimek
Product-vm2
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2026-26956
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.13% / 31.89%
||
7 Day CHG+0.01%
Published-04 May, 2026 | 16:37
Updated-08 May, 2026 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vm2: WASM Sandbox Escape (Node 25 only)

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.

Action-Not Available
Vendor-vm2_projectpatriksimek
Product-vm2vm2
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2026-24118
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.18% / 38.97%
||
7 Day CHG+0.01%
Published-04 May, 2026 | 16:28
Updated-08 May, 2026 | 19:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VM2 Sandbox Breakout Through __lookupGetter__

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.

Action-Not Available
Vendor-vm2_projectpatriksimek
Product-vm2vm2
CWE ID-CWE-693
Protection Mechanism Failure
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-24781
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.19% / 40.24%
||
7 Day CHG+0.02%
Published-04 May, 2026 | 16:33
Updated-08 May, 2026 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vm2: Sandbox Breakout Through Inspect

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.

Action-Not Available
Vendor-vm2_projectpatriksimek
Product-vm2vm2
CWE ID-CWE-693
Protection Mechanism Failure
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-26332
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.09% / 25.19%
||
7 Day CHG+0.01%
Published-04 May, 2026 | 16:35
Updated-06 May, 2026 | 12:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vm2: Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

Action-Not Available
Vendor-vm2_projectpatriksimek
Product-vm2vm2
CWE ID-CWE-693
Protection Mechanism Failure
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-24120
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.13% / 31.83%
||
7 Day CHG+0.01%
Published-04 May, 2026 | 16:31
Updated-08 May, 2026 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vm2: Sandbox Breakout Through Promise Species

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.

Action-Not Available
Vendor-vm2_projectpatriksimek
Product-vm2vm2
CWE ID-CWE-693
Protection Mechanism Failure
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-22709
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.05% / 17.27%
||
7 Day CHG~0.00%
Published-26 Jan, 2026 | 21:32
Updated-17 Feb, 2026 | 20:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vm2 has a Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.prototype.then` is not sanitized. The return value of async functions is `globalPromise` object. Version 3.10.2 fixes the issue.

Action-Not Available
Vendor-vm2_projectpatriksimek
Product-vm2vm2
CWE ID-CWE-693
Protection Mechanism Failure
CWE ID-CWE-913
Improper Control of Dynamically-Managed Code Resources
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-45411
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-0.14% / 34.50%
||
7 Day CHG~0.00%
Published-09 Sep, 2024 | 18:20
Updated-19 Sep, 2024 | 14:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Twig has a possible sandbox bypass

Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.

Action-Not Available
Vendor-symfonytwigphpsymfony
Product-twigTwigtwig
CWE ID-CWE-693
Protection Mechanism Failure
Details not found