PatchSiren cyber security CVE debrief
CVE-2026-47135 patriksimek CVE debrief
CVE-2026-47135 is a HIGH-severity vulnerability in vm2, an open-source vm/sandbox for Node.js. Prior to version 3.11.4, the Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. This allows sandbox code to obtain real cross-realm symbols, write them to host objects, and control host-side behavior. The vulnerability has been patched in version 3.11.4.
- Vendor
- patriksimek
- Product
- vm2
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of vm2, an open-source vm/sandbox for Node.js, should be aware of this vulnerability and take steps to upgrade to version 3.11.4 or later.
Technical summary
The vulnerability is caused by the incomplete interception of dangerous Node.js cross-realm symbols in the Symbol.for override in setup-sandbox.js. This allows sandbox code to obtain real cross-realm symbols, write them to host objects, and control host-side behavior. The vulnerability has a CVSS score of 8.7 and is classified as HIGH severity.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to vm2 version 3.11.4 or later.
- Review and update any custom sandbox code to ensure it does not rely on the vulnerable behavior.
Evidence notes
The vulnerability was patched in version 3.11.4. References to the patch and advisory can be found at [ref-5](https://github.com/patriksimek/vm2/releases/tag/v3.11.4) and [ref-6](https://github.com/patriksimek/vm2/security/advisories/GHSA-m5q2-4fm3-vfqp).
Official resources
CVE-2026-47135 was published on 2026-06-12T15:16:28.007Z and modified on 2026-06-12T16:03:15.620Z.