vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox code can obtain real cross-realm symbols, write them to host objects, and control host-side behavior — verified with a full util.promisify hijack chain. This issue has been patched in version 3.11.4.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
vm2 is a popular Node.js sandboxing library that isolates untrusted code execution. This vulnerability allows attackers to break out of the sandbox by exploiting incomplete Symbol.for() interception in setup-sandbox.js. The flaw enables malicious code to access real cross-realm symbols and write them to host objects, effectively giving attackers control over host-side behavior. This is critical for organizations using vm2 to run third-party scripts, plugins, or user-generated code, as the sandbox's primary security guarantee is completely bypassed. Applications relying on vm2 versions prior to 3.11.4 face immediate risk of code execution with full host privileges.
While this CVE lacks mapped MITRE ATT&CK techniques, Casky's Claude-powered analysis would detect the attack chain through behavioral patterns associated with privilege escalation and code injection. Practitioners using Casky would observe findings related to improper sandboxing implementation, insecure object property manipulation, and cross-realm boundary violations. The extended reasoning capability would surface how Symbol hijacking chains (such as the util.promisify exploit path mentioned) escalate from sandbox escape to arbitrary host code execution. Security teams would see alerts flagging attempts to access or modify host objects from within isolated contexts, abnormal property descriptor manipulation, and detection of cross-realm symbol usage—patterns that indicate sandbox containment failure before exploitation succeeds.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-47135. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation