Main Vulnerability Database Vulnerabilities #VU131737

Protection Mechanism Failure in vm2 - #VU131737

Published: May 18, 2026

Vulnerability identifier: #VU131737

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-693

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Patrik Simek

Affected software:
vm2

Detailed vulnerability description

The vulnerability allows a remote attacker to inject properties into host objects via the prototype chain.

The vulnerability exists due to improper access control in the BaseHandler.set trap in bridge.js when handling inherited property assignments on proxy-backed objects. A remote attacker can create a prototype-inheriting child object and assign crafted properties to inject properties into host objects via the prototype chain.

Dangerous Symbol-keyed properties can be written to host objects, which can lead to semantic confusion across realms.

Remediation

Install security update from vendor's website.

Sources

https://github.com/patriksimek/vm2/security/advisories/GHSA-c4cf-2hgv-2qv6

Protection Mechanism Failure in vm2 - #VU131737

Detailed vulnerability description

Remediation

Sources

Please verify you're human