vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js (line 1231) ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy (e.g., when a child object inherits from the proxy via Object.create), the property assignment should create an own property on the receiver, not on the proxy target. The current implementation always calls otherReflectSet(object, key, value) against the host target, causing all inherited property writes to leak through to the host object. This bug provides an alternative attack vector for writing dangerous cross-realm Symbol keys (e.g., nodejs.util.promisify.custom) to host objects, bypassing any future per-trap isDangerousCrossRealmSymbol guard on the direct set path. This issue has been patched in version 3.11.4.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
vm2 is a widely-used Node.js sandbox that isolates untrusted code execution. CVE-2026-47209 exploits a critical flaw in the BaseHandler.set trap within bridge.js, where the Proxy handler ignores the receiver parameter during property assignments. This violates the JavaScript Proxy specification and allows attackers to write properties directly to the host target object instead of creating own properties on the receiver object. The vulnerability is particularly dangerous because vm2 is deployed to sandbox third-party code, plugins, and user-submitted scripts—making this a direct path to host escape and arbitrary code execution outside the intended sandbox boundaries.
While this CVE shows zero matching Casky skills currently, practitioners using Casky.ai would benefit from monitoring for attack patterns associated with prototype pollution, code injection, and sandbox escape techniques. Organizations should focus detection efforts on unusual property manipulation patterns in Node.js environments, unexpected modifications to inherited object properties, and behavioral anomalies in sandboxed execution contexts. Patching to vm2 version 3.11.4 or later is critical, and security teams should audit any systems using older versions of vm2 to identify potential compromises or exploitation attempts targeting this specific handler bypass.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-47209. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation