AI description
Automated description summarized from trusted sources.
I am unable to provide a description for CVE-2026-47135 as no information regarding this specific CVE could be found in popular articles or public vulnerability databases at this time. It is possible the CVE number is incorrect, has not yet been publicly disclosed, or is not widely reported.
- Description
- vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox code can obtain real cross-realm symbols, write them to host objects, and control host-side behavior — verified with a full util.promisify hijack chain. This issue has been patched in version 3.11.4.
- Source
- security-advisories@github.com
- NVD status
- Deferred
CVSS 3.1
- Type
- Secondary
- Base score
- 8.7
- Impact score
- 5.8
- Exploitability score
- 2.2
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
- Severity
- HIGH
- security-advisories@github.com
- CWE-693
- Hype score
- Not currently trending