{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-47135", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-18T19:50:18.695Z", "datePublished": "2026-06-12T14:14:42.022Z", "dateUpdated": "2026-06-13T03:55:55.641Z"}, "containers": {"cna": {"title": "vm2: Sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks", "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "lang": "en", "description": "CWE-693: Protection Mechanism Failure", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/patriksimek/vm2/security/advisories/GHSA-m5q2-4fm3-vfqp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-m5q2-4fm3-vfqp"}, {"name": "https://github.com/patriksimek/vm2/commit/928aef51898b5c52a05f05a40c4cfeb52e172878", "tags": ["x_refsource_MISC"], "url": "https://github.com/patriksimek/vm2/commit/928aef51898b5c52a05f05a40c4cfeb52e172878"}, {"name": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"}], "affected": [{"vendor": "patriksimek", "product": "vm2", "versions": [{"version": "< 3.11.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-12T14:14:42.022Z"}, "descriptions": [{"lang": "en", "value": "vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox code can obtain real cross-realm symbols, write them to host objects, and control host-side behavior \u2014 verified with a full util.promisify hijack chain. This issue has been patched in version 3.11.4."}], "source": {"advisory": "GHSA-m5q2-4fm3-vfqp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-12T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-47135"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-13T03:55:55.641Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-47135", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-12T15:07:51.229548Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-12T15:07:53.488Z"}}], "cna": {"title": "vm2: Sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks", "source": {"advisory": "GHSA-m5q2-4fm3-vfqp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "patriksimek", "product": "vm2", "versions": [{"status": "affected", "version": "< 3.11.4"}]}], "references": [{"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-m5q2-4fm3-vfqp", "name": "https://github.com/patriksimek/vm2/security/advisories/GHSA-m5q2-4fm3-vfqp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/patriksimek/vm2/commit/928aef51898b5c52a05f05a40c4cfeb52e172878", "name": "https://github.com/patriksimek/vm2/commit/928aef51898b5c52a05f05a40c4cfeb52e172878", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4", "name": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox code can obtain real cross-realm symbols, write them to host objects, and control host-side behavior \u2014 verified with a full util.promisify hijack chain. This issue has been patched in version 3.11.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693: Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-12T14:14:42.022Z"}}}, "cveMetadata": {"cveId": "CVE-2026-47135", "state": "PUBLISHED", "dateUpdated": "2026-06-13T03:55:55.641Z", "dateReserved": "2026-05-18T19:50:18.695Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-12T14:14:42.022Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox code can obtain real cross-realm symbols, write them to host objects, and control host-side behavior \u2014 verified with a full util.promisify hijack chain. This issue has been patched in version 3.11.4."}], "id": "CVE-2026-47135", "lastModified": "2026-06-12T16:03:15.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-06-12T15:16:28.007", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/patriksimek/vm2/commit/928aef51898b5c52a05f05a40c4cfeb52e172878"}, {"source": "security-advisories@github.com", "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"}, {"source": "security-advisories@github.com", "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-m5q2-4fm3-vfqp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "vm2: vm2: Sandbox escape allows arbitrary code execution on the host system", "id": "2488396", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488396"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-1100", "details": ["vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox code can obtain real cross-realm symbols, write them to host objects, and control host-side behavior \u2014 verified with a full util.promisify hijack chain. This issue has been patched in version 3.11.4.", "A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. An attacker within the sandbox could exploit incomplete symbol interception and missing security checks to gain control over the host system. This could allow the attacker to execute arbitrary code outside the sandbox environment, leading to a complete compromise of the host."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-47135", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Affected", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}], "public_date": "2026-06-12T14:14:42Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-47135\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-47135\nhttps://github.com/patriksimek/vm2/commit/928aef51898b5c52a05f05a40c4cfeb52e172878\nhttps://github.com/patriksimek/vm2/releases/tag/v3.11.4\nhttps://github.com/patriksimek/vm2/security/advisories/GHSA-m5q2-4fm3-vfqp"], "statement": "This vulnerability has been rated as Moderate for Red Hat Developer Hub and Red Hat Ansible Automation Platform. The vm2 sandbox exists as a transitive dependency in Red Hat Developer Hub and is only utilized during build time. The sandbox is therefore not exposed on the production code path. Exploitation of this vulnerability requires attackers to write cross-realm symbol keys to host objects which is not possible in the default configuration of Red Hat Developer Hub.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.11.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vm2", "source": "cna", "vendor": "patriksimek"}, "product": "vm2", "vendor": "patriksimek"}], "created": "2026-06-12T15:30:31.462217+00:00", "updated": "2026-06-24T10:45:03.167906+00:00", "vendors": ["patriksimek", "patriksimek$PRODUCT$vm2"]}