PatchSiren cyber security CVE debrief
CVE-2026-47209 patriksimek CVE debrief
CVE-2026-47209 is a HIGH severity vulnerability in vm2, an open-source vm/sandbox for Node.js. The vulnerability allows for a sandbox bypass due to improper set trap implementation in the BaseHandler, enabling an attacker to write to the host target object. This could lead to the bypassing of future security guards and the writing of dangerous cross-realm Symbol keys to host objects.
- Vendor
- patriksimek
- Product
- vm2
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of vm2 sandbox for Node.js, especially those using versions prior to 3.11.4, should be aware of this vulnerability and take immediate action to patch their systems.
Technical summary
The BaseHandler.set trap in bridge.js (line 1231) of vm2 prior to version 3.11.4 ignores the receiver parameter and unconditionally writes to the host target object. According to the Proxy set trap specification, when the receiver is not the proxy (e.g., when a child object inherits from the proxy via Object.create), the property assignment should create an own property on the receiver, not on the proxy target. This incorrect implementation allows all inherited property writes to leak through to the host object, providing an alternative attack vector for writing dangerous cross-realm Symbol keys to host objects.
Defensive priority
HIGH
Recommended defensive actions
- Update vm2 to version 3.11.4 or later.
- Review and monitor your systems for any suspicious activity related to this vulnerability.
Evidence notes
The CVE-2026-47209 vulnerability was patched in version 3.11.4 of vm2. References to the patch and advisory can be found at [ref-4], [ref-5], and [ref-6].
Official resources
CVE-2026-47209 was published on 2026-06-12T15:16:28.900Z and modified on 2026-06-12T16:03:15.620Z.