Lucene search
K

5 matches found

Vulnrichment
Vulnrichment
added 2026/06/12 2:14 p.m.9 views

CVE-2026-47209 vm2: Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js line 1231 ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy e.g., when a child object...

8.6CVSS5.2AI score0.00287EPSS
Exploits0References3
CVE
CVE
added 2026/06/12 2:14 p.m.22 views

CVE-2026-47209

vm2 (Node.js sandbox) had a vulnerability in the BaseHandler.set trap that ignores the receiver parameter and always writes to the host target, enabling inherited-property writes to leak onto host objects via prototype chains. This can allow attackers to assign Symbol-keyed properties (e.g., node...

8.6CVSS5.2AI score0.00287EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/29 5:49 p.m.14 views

vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain

Summary The BaseHandler.set trap in bridge.js line 1231 ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy e.g., when a child object inherits from the proxy via Object.create, the property assignment...

8.6CVSS6AI score0.00287EPSS
Exploits0References5Affected Software1
Snyk
Snyk
added 2026/05/07 4:7 a.m.10 views

Arbitrary Code Injection

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through the BaseHandler write traps in lib/bridge.js. An attacker can mutate host Object.prototype, Array.prototype,...

10CVSS6AI score0.00842EPSS
Exploits1References2
OSV
OSV
added 2026/05/07 4:7 a.m.4 views

GHSA-VWRP-X96C-MHWQ vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape

Summary vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet and otherReflectDefineProperty, which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate...

10CVSS6.1AI score0.00842EPSS
Exploits1References4
Rows per page
Query Builder