vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks

@@ -2,10 +2,11 @@
 
 ## [3.11.4]
 
-Three advisories closed. Patch release — no API changes.
+Four advisories closed. Patch release — no API changes.
 
 ### Security fixes
 
+- **GHSA-m5q2-4fm3-vfqp** — sandbox escape via unblocked cross-realm `Symbol.for` keys plus missing dangerous-symbol guards on the bridge's write traps. Two-layer structural fix: `lib/setup-sandbox.js` denies the entire `nodejs.` namespace at `Symbol.for` and aligns the read-side filters with the full 9-symbol cache, and `lib/bridge.js` extends `isDangerousCrossRealmSymbol` and applies it to the `set`/`defineProperty`/`deleteProperty` traps. See ATTACKS.md Category 8 / Category 20 (both extended) and `test/ghsa/GHSA-m5q2-4fm3-vfqp/`.
 - **GHSA-v6mx-mf47-r5wg** — host prototype mutation via apply-trap indirection. Sandbox code could reach host prototype-mutating setters (`Object.prototype.__proto__`, `setPrototypeOf`, `defineProperty`, `__defineSetter__`/`__defineGetter__`) through `Function.prototype.{call,apply,bind}` and `Reflect.{apply,construct}` indirection, sever a host intrinsic's prototype chain, and escape via the bridge's `thisEnsureThis` proto-walk fallthrough. Two-layer structural fix in `lib/bridge.js` (apply-trap blocklist + cache check before proto-walk). See ATTACKS.md Category 30 and `test/ghsa/GHSA-v6mx-mf47-r5wg/`.
 - **GHSA-q3fm-4wcw-g57x** — Defense Invariant #11 hardening for `defaultSandboxPrepareStackTrace` (second variant of GHSA-9qj6-qjgg-37qq in a different file). The sandbox stack-trace formatter accumulated frames in a sandbox-realm array and `.join`-ed them, so a sandbox-installed setter on `Array.prototype[N]` (or `.join` override) observed bridge-internal state — no host reference reachable today, but one enrichment away from regressing into the GHSA-9qj6 RCE shape. Fixed in `lib/setup-sandbox.js` by folding frames through a primitive string accumulator (no `Array.prototype` slot reachable) and converting `makeCallSiteGetters` to `localReflectDefineProperty` for symmetry. See ATTACKS.md Category 28 Variant B and `test/ghsa/GHSA-q3fm-4wcw-g57x/`.
 - **GHSA-76w7-j9cq-rx2j** — Promise species hijack in the `localPromise` swallow tail. The swallow-tail `apply(globalPromisePrototypeThen, this, [...])` call inside `localPromise`'s constructor invoked the cached host `Promise.prototype.then` without first calling `resetPromiseSpecies(this)`, so a sandbox subclass overriding `[Symbol.species]` could redirect the downstream child constructor to a user function and capture V8's internal `(resolve, reject)` capability — delivering a raw host-realm error (RangeError from deep recursion + `e.stack`) to a sandbox collector and reaching the host `Function` constructor via `.constructor.constructor`. One-line fix in `lib/setup-sandbox.js` adds the missing `resetPromiseSpecies(this)` before the swallow-tail call, matching the pattern already used by the `.then`/`.catch`/`Reflect.apply` overrides. See ATTACKS.md Category 31 and `test/ghsa/GHSA-76w7-j9cq-rx2j/`.

@@ -733,6 +733,16 @@ Function.prototype.value = (depth, opt, inspect) => {
 const obj = { valueOf: undefined, constructor: undefined };
 Object.defineProperties(obj, inspectDesc);
 WebAssembly.compileStreaming(obj).catch(() => {});
+
+// GHSA-m5q2-4fm3-vfqp: extraction is unnecessary when Symbol.for itself returns the real
+// cross-realm symbol. Combined with bridge write-trap pass-through, sandbox can install a
+// host-side hook directly:
+const kPromisify = Symbol.for('nodejs.util.promisify.custom'); // unfiltered before the fix
+hostFn[kPromisify] = function (path) { return Promise.resolve('HIJACKED'); };
+// Host-side: util.promisify(hostFn)('anything').then(...) yields 'HIJACKED'.
+// Sibling abuses with the same primitive: planting `nodejs.stream.readable`/.writable on a
+// non-stream host object to confuse `Stream.isReadable`/`isWritable` duck typing, or
+// installing `nodejs.webstream.controllerErrorFunction` to capture host error dispatch.
 ```
 
 ### Why It Works
@@ -762,6 +772,10 @@ Multi-layer defense. **Sandbox side** (`setup-sandbox.js`): overrides `Symbol.fo
 
 **ownKeys trap rewrite**: iterates the raw host result via `otherReflectGet` rather than bridge-wrapping it, so dangerous symbols can be *dropped* (preserving the Proxy ownKeys invariant, which forbids `undefined` keys) rather than rewritten.
 
+**`nodejs.` prefix denial at the source (GHSA-m5q2-4fm3-vfqp)**: the `Symbol.for` override originally allow-listed only `nodejs.util.inspect.custom` and `nodejs.rejection`, leaving seven other Node-internal `nodejs.*` keys live (`nodejs.util.promisify.custom`, the four stream brand symbols, the two webstream symbols). The override now intercepts the entire `nodejs.` namespace — any key starting with `nodejs.` is mapped to a sandbox-local symbol — so the canonical `Symbol.for(...)` extraction path cannot produce a real cross-realm symbol regardless of which internal feature the attacker targets. A keyed cache preserves `Symbol.for(k) === Symbol.for(k)` identity inside the sandbox for the same key. The companion read-side filter (`isDangerousSymbol` in `setup-sandbox.js`, `isDangerousCrossRealmSymbol` in `bridge.js`) was extended with the seven additional symbols so identity checks against host-extracted symbols match the same set; new entries to either side must be mirrored to keep the source-deny and identity-filter layers consistent.
+
+**Bridge write-trap symbol guard (GHSA-m5q2-4fm3-vfqp)**: the read-direction filter prevents the sandbox from surfacing dangerous symbols, but the write traps (`set`, `defineProperty`, `deleteProperty`) historically forwarded the key straight through to `otherReflect*` without inspecting it. If any future bypass surfaces a dangerous symbol back inside the sandbox (or a host-side embedder hands one in via a path that bypasses the per-symbol filter), the unguarded write traps would let it land as a key on any non-protected host object — turning the leak into a host-side hook installation. Each of the three write traps now checks `isDangerousCrossRealmSymbol(key)` when `!isHost` and throws `VMError(OPNA)`, mirroring the read-side filter. Symmetric coverage across read and write makes "obtaining the symbol" no longer enough to weaponize it; the attacker would also need a path that bypasses both layers simultaneously.
+
 ### Detection Rules
 
 - **`Object.getOwnPropertySymbols(hostObject)`** -- enumerating symbols on bridge-exposed objects.
@@ -1504,6 +1518,8 @@ The bridge's design separated sandbox-realm reasoning from host-realm reasoning
 
 The protected set is captured *before* any sandbox code runs, and is keyed on raw host-realm object identity — so prototype-pollution attempts that try to subvert the check itself (e.g., `Array.prototype.constructor = attackerFn`) fail because the WeakMap holds the original references.
 
+**Symbol-key augmentation (GHSA-m5q2-4fm3-vfqp)**: the per-object `isProtectedHostObject` check fires only for intrinsic prototypes, so non-intrinsic host objects (a plain `{}` exposed via `vm.sandbox.x`, a host function, a Buffer instance) remained writable from the sandbox. That is intentional — embedders need to expose mutable host state — but it interacts badly with [Category 8](#attack-category-8-cross-realm-symbol-extraction-from-host-objects)-class symbol leaks: a sandbox that obtains a real `nodejs.*` cross-realm symbol could install a host-side hook (util.promisify, stream brand, webstream controller) on any such non-protected host object and steer host control flow without ever needing host RCE. The four write traps (`set`, `defineProperty`, `deleteProperty` — plus `preventExtensions` already covered by the original Cat-20 fix) now also reject any sandbox-originated key that satisfies `isDangerousCrossRealmSymbol(key)`. This is the symmetric counterpart to the existing read-direction symbol filter: even if a future bypass surfaces a dangerous symbol back inside the sandbox, it cannot be installed as a key on any bridge-wrapped host object.
+
 ### Detection Rules
 
 - **`hostProto.x = v`** — direct assignment to a bridge proxy of an intrinsic prototype.

@@ -167,16 +167,33 @@ const thisSymbolNodeJSRejection = Symbol.for('nodejs.rejection');
 // uses Symbol.for('nodejs.util.promisify.custom') as a hook. If sandbox code
 // could ever provide a host-recognised version of this symbol on an object
 // passed to `util.promisify(...)`, Node would invoke the sandbox-defined
-// promisifier — likely with host-realm arguments. No live exploit today, but
-// the surface mirrors `nodejs.util.inspect.custom` closely enough that
-// pre-emptive denial is cheap.
+// promisifier — likely with host-realm arguments. GHSA-m5q2-4fm3-vfqp later
+// turned this from a theoretical concern into a verified live exploit.
 const thisSymbolNodeJSUtilPromisifyCustom = Symbol.for('nodejs.util.promisify.custom');
+// SECURITY (GHSA-m5q2-4fm3-vfqp): the four stream brand symbols control Node's
+// duck typing for `Stream.is{Readable,Writable,Duplex,Transform}` checks; the
+// two webstream symbols expose internal hooks (closed-promise resolution and
+// controller error dispatch). Sandbox code installing any of these on a host
+// object steers host-side control flow. The setup-sandbox.js dangerous-symbol
+// set must stay in sync with this list.
+const thisSymbolNodeJSStreamReadable = Symbol.for('nodejs.stream.readable');
+const thisSymbolNodeJSStreamWritable = Symbol.for('nodejs.stream.writable');
+const thisSymbolNodeJSStreamDuplex = Symbol.for('nodejs.stream.duplex');
+const thisSymbolNodeJSStreamTransform = Symbol.for('nodejs.stream.transform');
+const thisSymbolNodeJSWebstreamIsClosedPromise = Symbol.for('nodejs.webstream.isClosedPromise');
+const thisSymbolNodeJSWebstreamControllerErrorFunction = Symbol.for('nodejs.webstream.controllerErrorFunction');
 
 function isDangerousCrossRealmSymbol(key) {
 	return (
 		key === thisSymbolNodeJSUtilInspectCustom ||
 		key === thisSymbolNodeJSRejection ||
-		key === thisSymbolNodeJSUtilPromisifyCustom
+		key === thisSymbolNodeJSUtilPromisifyCustom ||
+		key === thisSymbolNodeJSStreamReadable ||
+		key === thisSymbolNodeJSStreamWritable ||
+		key === thisSymbolNodeJSStreamDuplex ||
+		key === thisSymbolNodeJSStreamTransform ||
+		key === thisSymbolNodeJSWebstreamIsClosedPromise ||
+		key === thisSymbolNodeJSWebstreamControllerErrorFunction
 	);
 }
 
@@ -1235,15 +1252,26 @@ function createBridge(otherInit, registerProxy) {
 		// any own property keyed by a dangerous cross-realm symbol. Using the
 		// host's Reflect.deleteProperty avoids any proxy invariants that apply
 		// to the sandbox-local descriptor filter.
-		try {
-			otherReflectDeleteProperty(ret, thisSymbolNodeJSUtilInspectCustom);
-		} catch (e) {
-			/* best effort */
-		}
-		try {
-			otherReflectDeleteProperty(ret, thisSymbolNodeJSRejection);
-		} catch (e) {
-			/* best effort */
+		// SECURITY (GHSA-m5q2-4fm3-vfqp): scrub every known dangerous nodejs.*
+		// symbol. Iterate the cached list so adding a new symbol to
+		// isDangerousCrossRealmSymbol automatically extends this scrub.
+		const dangerousSyms = [
+			thisSymbolNodeJSUtilInspectCustom,
+			thisSymbolNodeJSRejection,
+			thisSymbolNodeJSUtilPromisifyCustom,
+			thisSymbolNodeJSStreamReadable,
+			thisSymbolNodeJSStreamWritable,
+			thisSymbolNodeJSStreamDuplex,
+			thisSymbolNodeJSStreamTransform,
+			thisSymbolNodeJSWebstreamIsClosedPromise,
+			thisSymbolNodeJSWebstreamControllerErrorFunction,
+		];
+		for (let i = 0; i < dangerousSyms.length; i++) {
+			try {
+				otherReflectDeleteProperty(ret, dangerousSyms[i]);
+			} catch (e) {
+				/* best effort */
+			}
 		}
 	}
 
@@ -1397,6 +1425,18 @@ function createBridge(otherInit, registerProxy) {
 			// Covers C1 (plain assignment), C2 (Reflect.set), and C5
 			// (Object.assign) because all of them funnel through this trap.
 			if (isProtectedHostObject(object)) throw new VMError(OPNA);
+			// SECURITY (GHSA-m5q2-4fm3-vfqp): refuse sandbox-originated writes
+			// whose key is a known dangerous Node.js cross-realm symbol. Even
+			// if the read-direction filter (thisFromOtherWithFactory) and the
+			// sandbox-side Symbol.for override should both prevent the sandbox
+			// from ever surfacing such a symbol primitive, this trap is the
+			// structural last line of defense. Without this check, a future
+			// extraction-path bypass would let the sandbox install host-side
+			// hooks (util.promisify, stream brand, webstream controller, ...)
+			// on any non-protected host object exposed to it.
+			if (!isHost && typeof key === 'symbol' && isDangerousCrossRealmSymbol(key)) {
+				throw new VMError(OPNA);
+			}
 			if (key === '__proto__' && !thisOtherHasOwnProperty(object, key)) {
 				return this.setPrototypeOf(target, value);
 			}
@@ -1636,6 +1676,11 @@ function createBridge(otherInit, registerProxy) {
 			// defineProperty calls targeting any host-realm intrinsic
 			// prototype or constructor. Covers C3 (Object.defineProperty).
 			if (isProtectedHostObject(object)) throw new VMError(OPNA);
+			// SECURITY (GHSA-m5q2-4fm3-vfqp): mirror the set trap — refuse
+			// dangerous-symbol-keyed property installation on any host object.
+			if (!isHost && typeof prop === 'symbol' && isDangerousCrossRealmSymbol(prop)) {
+				throw new VMError(OPNA);
+			}
 			if (!thisReflectSetPrototypeOf(desc, null)) throw thisUnexpected();
 
 			// Intercept defineProperty for constructor on host arrays.
@@ -1704,6 +1749,15 @@ function createBridge(otherInit, registerProxy) {
 			// otherwise remove `hasOwnProperty`, `toString`, etc. from every
 			// host object of that class.
 			if (isProtectedHostObject(object)) throw new VMError(OPNA);
+			// SECURITY (GHSA-m5q2-4fm3-vfqp): refuse sandbox-originated
+			// deletes whose key is a dangerous cross-realm symbol. Without
+			// this, sandbox code can strip host-set hooks (e.g. delete a
+			// Node-installed `nodejs.util.inspect.custom` from a host object)
+			// and substitute its own behavior or break host code that relies
+			// on the host-set property.
+			if (!isHost && typeof prop === 'symbol' && isDangerousCrossRealmSymbol(prop)) {
+				throw new VMError(OPNA);
+			}
 			try {
 				return otherReflectDeleteProperty(object, prop) === true;
 			} catch (e) {

@@ -30,6 +30,11 @@ const {
 const localObjectGetOwnPropertySymbols = localObject.getOwnPropertySymbols;
 const localObjectGetOwnPropertyDescriptors = localObject.getOwnPropertyDescriptors;
 const localObjectAssign = localObject.assign;
+// SECURITY (GHSA-m5q2-4fm3-vfqp): captured at module load before sandbox code
+// can run, so prefix-matching `Symbol.for` keys against the `nodejs.` namespace
+// (see below) cannot be subverted by an attacker who later monkey-patches
+// `String.prototype.startsWith` from inside the sandbox.
+const localStringStartsWith = global.String.prototype.startsWith;
 
 const speciesSymbol = Symbol.species;
 const globalPromise = global.Promise;
@@ -139,22 +144,53 @@ localReflectDefineProperty(localPromise, Symbol.hasInstance, {
  * - 'nodejs.rejection': Called by EventEmitter on promise rejection with captureRejections enabled.
  *   The handler receives error objects that could potentially leak host context.
  *
- * Fix: Override Symbol.for to return sandbox-local symbols for dangerous keys instead of cross-realm
- * symbols. This prevents Node.js internals from recognizing sandbox-defined symbol properties while
- * preserving cross-realm behavior for other symbols.
+ * - 'nodejs.util.promisify.custom': Hook util.promisify(fn) calls when present on `fn`. If a
+ *   sandbox-installed function is invoked here, host code that relies on promisified behavior
+ *   gets sandbox-controlled return values. (GHSA-m5q2-4fm3-vfqp)
+ *
+ * - 'nodejs.stream.{readable,writable,duplex,transform}': Brand symbols Node's stream subsystem
+ *   uses for duck typing. Sandbox-installed brands confuse host-side `Stream.is{Readable,Writable}`
+ *   checks. (GHSA-m5q2-4fm3-vfqp)
+ *
+ * - 'nodejs.webstream.{isClosedPromise,controllerErrorFunction}': WebStream internals — a
+ *   sandbox-installed handler executes in host realm with host arguments. (GHSA-m5q2-4fm3-vfqp)
+ *
+ * Fix: Override Symbol.for to return a sandbox-local symbol for any key in the `nodejs.` namespace
+ * instead of the real cross-realm symbol. The `nodejs.` prefix is reserved by Node for internal
+ * cross-realm hooks; sandbox code has no legitimate reason to register symbols under it. Each
+ * unique `nodejs.*` key is mapped to a stable sandbox-local symbol so that repeated `Symbol.for`
+ * calls inside the sandbox preserve identity (matching the spec's registry semantics for the
+ * sandbox's own consumption), while never crossing the realm boundary.
  */
 const originalSymbolFor = Symbol.for;
 const blockedSymbolCustomInspect = Symbol('nodejs.util.inspect.custom');
 const blockedSymbolRejection = Symbol('nodejs.rejection');
 
+// Per-key cache for unknown `nodejs.*` symbols so `Symbol.for(k) === Symbol.for(k)` still holds
+// inside the sandbox. Built via the cached Reflect primitives so a sandbox-side override of
+// `Object.prototype` / proxies cannot intercept reads or writes here.
+const blockedNodejsSymbolCache = { __proto__: null };
+localReflectDefineProperty(blockedNodejsSymbolCache, 'nodejs.util.inspect.custom', {
+	__proto__: null, value: blockedSymbolCustomInspect, writable: true, enumerable: false, configurable: false,
+});
+localReflectDefineProperty(blockedNodejsSymbolCache, 'nodejs.rejection', {
+	__proto__: null, value: blockedSymbolRejection, writable: true, enumerable: false, configurable: false,
+});
+
 Symbol.for = function (key) {
 	// Convert to string once to prevent toString/toPrimitive bypass and TOCTOU attacks
 	const keyStr = '' + key;
-	if (keyStr === 'nodejs.util.inspect.custom') {
-		return blockedSymbolCustomInspect;
-	}
-	if (keyStr === 'nodejs.rejection') {
-		return blockedSymbolRejection;
+	// SECURITY (GHSA-m5q2-4fm3-vfqp): deny the entire `nodejs.` namespace. The prior allowlist
+	// of two specific keys missed seven other dangerous Node-internal symbols and would miss any
+	// future addition. The `nodejs.` prefix is owned by Node for internal cross-realm hooks.
+	if (apply(localStringStartsWith, keyStr, ['nodejs.'])) {
+		const cached = blockedNodejsSymbolCache[keyStr];
+		if (typeof cached === 'symbol') return cached;
+		const fresh = Symbol(keyStr);
+		localReflectDefineProperty(blockedNodejsSymbolCache, keyStr, {
+			__proto__: null, value: fresh, writable: true, enumerable: false, configurable: false,
+		});
+		return fresh;
 	}
 	return originalSymbolFor(keyStr);
 };
@@ -171,9 +207,27 @@ Symbol.for = function (key) {
  */
 const realSymbolCustomInspect = originalSymbolFor('nodejs.util.inspect.custom');
 const realSymbolRejection = originalSymbolFor('nodejs.rejection');
+// SECURITY (GHSA-m5q2-4fm3-vfqp): pre-cache every known dangerous `nodejs.*` cross-realm symbol so
+// `isDangerousSymbol` can identify them in extraction paths (Reflect.ownKeys, Object.assign, ...).
+// Identity check against these references is the structural test — `description`-string matching
+// is forgeable from sandbox code. Adding new entries here automatically extends every filter.
+const realDangerousSymbols = [
+	realSymbolCustomInspect,
+	realSymbolRejection,
+	originalSymbolFor('nodejs.util.promisify.custom'),
+	originalSymbolFor('nodejs.stream.readable'),
+	originalSymbolFor('nodejs.stream.writable'),
+	originalSymbolFor('nodejs.stream.duplex'),
+	originalSymbolFor('nodejs.stream.transform'),
+	originalSymbolFor('nodejs.webstream.isClosedPromise'),
+	originalSymbolFor('nodejs.webstream.controllerErrorFunction'),
+];
 
 function isDangerousSymbol(sym) {
-	return sym === realSymbolCustomInspect || sym === realSymbolRejection;
+	for (let i = 0; i < realDangerousSymbols.length; i++) {
+		if (sym === realDangerousSymbols[i]) return true;
+	}
+	return false;
 }
 
 localObject.getOwnPropertySymbols = function getOwnPropertySymbols(obj) {
@@ -220,8 +274,11 @@ localReflect.ownKeys = function ownKeys(obj) {
  */
 localObject.getOwnPropertyDescriptors = function getOwnPropertyDescriptors(obj) {
 	const descs = apply(localObjectGetOwnPropertyDescriptors, localObject, [obj]);
-	localReflectDeleteProperty(descs, realSymbolCustomInspect);
-	localReflectDeleteProperty(descs, realSymbolRejection);
+	// SECURITY (GHSA-m5q2-4fm3-vfqp): drop every known dangerous cross-realm symbol slot,
+	// not just the original two. Iterates `realDangerousSymbols` so additions stay in sync.
+	for (let i = 0; i < realDangerousSymbols.length; i++) {
+		localReflectDeleteProperty(descs, realDangerousSymbols[i]);
+	}
 	return descs;
 };
 

@@ -0,0 +1,318 @@
+/**
+ * GHSA-m5q2-4fm3-vfqp — Sandbox escape via unblocked cross-realm Symbol.for keys
+ *                       + missing bridge write-trap symbol checks
+ *
+ * ## Vulnerability class
+ * Sandbox code obtains real cross-realm Node.js symbols via two paths the
+ * existing defenses do not cover:
+ *
+ *   1. `Symbol.for('nodejs.<anything>')` — only `nodejs.util.inspect.custom`
+ *      and `nodejs.rejection` were blocked. Other Node-internal symbols
+ *      (`nodejs.util.promisify.custom`, the four stream brand symbols, the
+ *      two webstream symbols) passed straight through and returned the real
+ *      cross-realm symbol the host's Node internals look up.
+ *
+ *   2. Even when the sandbox cannot produce the symbol, the bridge's `set`,
+ *      `defineProperty`, and `deleteProperty` traps did NOT screen the
+ *      property key for `isDangerousCrossRealmSymbol(...)`. The `get`,
+ *      `has`, `ownKeys`, and `getOwnPropertyDescriptor` traps did. So sandbox
+ *      code could write or delete dangerous-symbol-keyed properties on any
+ *      host object exposed to it — installing host-side hooks
+ *      (`util.promisify.custom`), altering brand-style duck typing on
+ *      streams, or deleting host-set symbol properties.
+ *
+ * ## Fix
+ * 1. `lib/setup-sandbox.js` — `Symbol.for(key)` now returns a sandbox-local
+ *    symbol whenever `key.startsWith('nodejs.')`, denying the entire family
+ *    of cross-realm Node internals at the source. The 9 known dangerous
+ *    `nodejs.*` symbols are pre-cached and `isDangerousSymbol(sym)` (which
+ *    drives the `getOwnPropertySymbols`, `Reflect.ownKeys`,
+ *    `getOwnPropertyDescriptors`, and `Object.assign` overrides) checks
+ *    membership against the full set rather than only two.
+ *
+ * 2. `lib/bridge.js` — `BaseHandler.{set, defineProperty, deleteProperty}`
+ *    now reject any operation whose key is `isDangerousCrossRealmSymbol(...)`
+ *    when the call originates in the sandbox (`!isHost`). The dangerous-symbol
+ *    list in bridge.js is expanded to match setup-sandbox's set so
+ *    `isDangerousCrossRealmSymbol` recognises every host-side hook key.
+ *
+ * The invariant restored:
+ *   - **Read direction**: a dangerous cross-realm symbol must never reach
+ *     sandbox code as a usable symbol value (Category 8 / GHSA-47x8 closed
+ *     this for `nodejs.util.inspect.custom` and `nodejs.rejection`; this
+ *     fix extends the set to all 9 known dangerous `nodejs.*` symbols).
+ *   - **Write direction**: even if the sandbox somehow obtains a dangerous
+ *     symbol primitive (e.g. a future bypass), it must not be able to use
+ *     that symbol as a key against any bridge-wrapped host object. The
+ *     write traps are the structural chokepoint.
+ */
+
+'use strict';
+
+const assert = require('assert');
+const util = require('util');
+const { VM } = require('../../../lib/main.js');
+
+if (typeof it.cond !== 'function') {
+	it.cond = function (name, cond, fn) { return cond ? it(name, fn) : it.skip(name, fn); };
+}
+
+const NODE_MAJOR = parseInt(process.versions.node.split('.')[0], 10);
+// `util.promisify.custom` exists since Node 8 with the symbol form added in 8.0.
+// Stream brand symbols (`nodejs.stream.readable` etc.) are 16+; webstream symbols
+// land later still. Gate the symbol-set check accordingly.
+const HAS_STREAM_BRAND_SYMBOLS = NODE_MAJOR >= 16;
+
+function safeRun(code) {
+	const vm = new VM();
+	try {
+		return vm.run('(function () { try { ' + code + ' } catch (_) { return undefined; } })()');
+	} catch (_) {
+		return undefined;
+	}
+}
+
+describe('GHSA-m5q2-4fm3-vfqp (cross-realm Symbol.for + bridge write-trap leak)', function () {
+
+	// ---- PRIMARY POC: util.promisify hijack ------------------------------------------
+
+	it('blocks PoC: sandbox cannot install nodejs.util.promisify.custom on host fn', function () {
+		// Host function the sandbox is allowed to mutate (a regular host function,
+		// not a protected intrinsic — this is the case the write-trap check covers).
+		const hostFn = function readFile(path, cb) { cb(null, 'real data'); };
+		const vm = new VM();
+		vm.setGlobals = vm.setGlobals || function (g) { for (const k in g) this.sandbox[k] = g[k]; };
+		vm.sandbox.hostFn = hostFn;
+
+		// Sandbox attempts to install a custom promisifier on the host function.
+		// Two paths must be blocked:
+		//   - Symbol.for('nodejs.util.promisify.custom') returns a sandbox-local
+		//     symbol that the host doesn't recognise. So even if the assignment
+		//     went through, host's util.promisify would not invoke the sandbox fn.
+		//   - The sandbox could try to extract the real symbol via Category-8
+		//     paths (closed). If it did, the bridge write-trap rejects the write.
+		try {
+			vm.run(`
+				const kPromisify = Symbol.for('nodejs.util.promisify.custom');
+				hostFn[kPromisify] = function (path) {
+					return Promise.resolve('HIJACKED by sandbox');
+				};
+			`);
+		} catch (_) { /* either Symbol.for returned a safe symbol or write trap threw */ }
+
+		// Host-side check: util.promisify must use Node's default behavior, NOT
+		// any sandbox-installed custom promisifier.
+		const asyncRead = util.promisify(hostFn);
+		return asyncRead('/etc/passwd').then(function (result) {
+			assert.notStrictEqual(result, 'HIJACKED by sandbox', 'sandbox hijacked util.promisify');
+			assert.strictEqual(result, 'real data', 'host function executed normally');
+		});
+	});
+
+	// ---- Symbol.for source-side denial -----------------------------------------------
+
+	it('Symbol.for("nodejs.util.promisify.custom") returns sandbox-local symbol', function () {
+		const isSandboxLocal = safeRun(`
+			const sandboxLocal = Symbol.for('nodejs.util.promisify.custom');
+			// Sandbox-local symbols are NOT the same as the host's real registered symbol.
+			// We can detect the structural identity by reading the symbol from a known
+			// host object (Buffer.prototype carries no promisify symbol, but we can
+			// register one fresh in the host registry — Symbol.for on the host always
+			// returns the same identity for a given key). The test harness can't reach
+			// the host registry, but we CAN ensure that the description matches AND that
+			// our sandbox symbol is brand-new (a sandbox Symbol() not the registry one).
+			// The structural test: a registered cross-realm symbol survives a round-trip
+			// through Symbol.keyFor; a sandbox-local one does NOT.
+			return Symbol.keyFor(sandboxLocal) === undefined;
+		`);
+		assert.strictEqual(isSandboxLocal, true, 'Symbol.for returned a real cross-realm symbol');
+	});
+
+	it.cond('Symbol.for("nodejs.stream.readable") returns sandbox-local symbol', HAS_STREAM_BRAND_SYMBOLS, function () {
+		const isSandboxLocal = safeRun(`
+			return Symbol.keyFor(Symbol.for('nodejs.stream.readable')) === undefined;
+		`);
+		assert.strictEqual(isSandboxLocal, true, 'nodejs.stream.readable leaked');
+	});
+
+	it.cond('Symbol.for("nodejs.stream.writable") returns sandbox-local symbol', HAS_STREAM_BRAND_SYMBOLS, function () {
+		const isSandboxLocal = safeRun(`
+			return Symbol.keyFor(Symbol.for('nodejs.stream.writable')) === undefined;
+		`);
+		assert.strictEqual(isSandboxLocal, true, 'nodejs.stream.writable leaked');
+	});
+
+	it.cond('Symbol.for("nodejs.stream.duplex") returns sandbox-local symbol', HAS_STREAM_BRAND_SYMBOLS, function () {
+		const isSandboxLocal = safeRun(`
+			return Symbol.keyFor(Symbol.for('nodejs.stream.duplex')) === undefined;
+		`);
+		assert.strictEqual(isSandboxLocal, true, 'nodejs.stream.duplex leaked');
+	});
+
+	it.cond('Symbol.for("nodejs.stream.transform") returns sandbox-local symbol', HAS_STREAM_BRAND_SYMBOLS, function () {
+		const isSandboxLocal = safeRun(`
+			return Symbol.keyFor(Symbol.for('nodejs.stream.transform')) === undefined;
+		`);
+		assert.strictEqual(isSandboxLocal, true, 'nodejs.stream.transform leaked');
+	});
+
+	it('Symbol.for any "nodejs.<future-internal>" key returns sandbox-local symbol', function () {
+		// Forward-compat: any future Node-internal symbol introduced under the
+		// nodejs.* namespace must be denied without code changes.
+		const allSandboxLocal = safeRun(`
+			const probes = [
+				'nodejs.future.feature1',
+				'nodejs.unknown',
+				'nodejs.zalgo',
+			];
+			for (let i = 0; i < probes.length; i++) {
+				if (Symbol.keyFor(Symbol.for(probes[i])) !== undefined) return false;
+			}
+			return true;
+		`);
+		assert.strictEqual(allSandboxLocal, true, 'a forward-compat nodejs.* key leaked');
+	});
+
+	it('Symbol.for keeps non-"nodejs." keys cross-realm (no over-denial)', function () {
+		// Regression guard: legitimate cross-realm Symbol.for usage (any key NOT
+		// starting with "nodejs.") must still produce a registered cross-realm
+		// symbol so that legitimate intra-process symbol sharing still works.
+		const stillCrossRealm = safeRun(`
+			const s = Symbol.for('user.app.event');
+			return Symbol.keyFor(s) === 'user.app.event';
+		`);
+		assert.strictEqual(stillCrossRealm, true, 'legitimate Symbol.for over-denied');
+	});
+
+	// ---- Bridge write-trap denial ----------------------------------------------------
+	//
+	// Even if the sandbox somehow obtains a real dangerous cross-realm symbol
+	// (via a future bypass, or by reading it back via a host-side path), the
+	// write traps must reject any operation that would install or delete it
+	// on a host-realm object.
+
+	it('set trap: sandbox assignment with dangerous symbol key on host obj is denied', function () {
+		// We can't easily forge a real host symbol from inside the sandbox under
+		// the current defenses (that's exactly what Category 8 closed). But we
+		// can validate the bridge layer directly: pass in the host's real symbol
+		// via setGlobal, then attempt the assignment.
+		const realSym = Symbol.for('nodejs.util.promisify.custom');
+		const hostObj = {};
+		const vm = new VM();
+		vm.sandbox.hostObj = hostObj;
+		vm.sandbox.realSym = realSym;
+		try {
+			vm.run(`hostObj[realSym] = function () { return 'pwned'; };`);
+		} catch (_) { /* expected: VMError(OPNA) */ }
+		assert.strictEqual(
+			Object.prototype.hasOwnProperty.call(hostObj, realSym),
+			false,
+			'set trap installed dangerous symbol key on host object'
+		);
+	});
+
+	it('defineProperty trap: dangerous symbol key cannot be installed on host obj', function () {
+		const realSym = Symbol.for('nodejs.util.promisify.custom');
+		const hostObj = {};
+		const vm = new VM();
+		vm.sandbox.hostObj = hostObj;
+		vm.sandbox.realSym = realSym;
+		try {
+			vm.run(`Object.defineProperty(hostObj, realSym, { value: 'pwned' });`);
+		} catch (_) { /* expected */ }
+		assert.strictEqual(
+			Object.prototype.hasOwnProperty.call(hostObj, realSym),
+			false,
+			'defineProperty trap installed dangerous symbol key on host object'
+		);
+	});
+
+	it('deleteProperty trap: dangerous symbol key on host obj cannot be deleted', function () {
+		const realSym = Symbol.for('nodejs.util.promisify.custom');
+		const hostObj = {};
+		// Host pre-installs the symbol — sandbox must not be able to delete it.
+		hostObj[realSym] = function () { return 'host-set'; };
+		const vm = new VM();
+		vm.sandbox.hostObj = hostObj;
+		vm.sandbox.realSym = realSym;
+		try {
+			vm.run(`delete hostObj[realSym];`);
+		} catch (_) { /* expected */ }
+		assert.strictEqual(
+			Object.prototype.hasOwnProperty.call(hostObj, realSym),
+			true,
+			'deleteProperty trap removed dangerous symbol from host object'
+		);
+	});
+
+	it('write traps: nodejs.rejection symbol also denied across all three traps', function () {
+		const realSym = Symbol.for('nodejs.rejection');
+		const hostObj = { [realSym]: 'host-set' };
+		const vm = new VM();
+		vm.sandbox.hostObj = hostObj;
+		vm.sandbox.realSym = realSym;
+		try { vm.run(`hostObj[realSym] = 'set';`); } catch (_) {}
+		try { vm.run(`Object.defineProperty(hostObj, realSym, { value: 'def' });`); } catch (_) {}
+		try { vm.run(`delete hostObj[realSym];`); } catch (_) {}
+		assert.strictEqual(hostObj[realSym], 'host-set', 'nodejs.rejection write/delete leaked through bridge');
+	});
+
+	it('write traps: nodejs.util.inspect.custom symbol also denied', function () {
+		const realSym = Symbol.for('nodejs.util.inspect.custom');
+		const hostObj = { [realSym]: 'host-set' };
+		const vm = new VM();
+		vm.sandbox.hostObj = hostObj;
+		vm.sandbox.realSym = realSym;
+		try { vm.run(`hostObj[realSym] = 'set';`); } catch (_) {}
+		try { vm.run(`Object.defineProperty(hostObj, realSym, { value: 'def' });`); } catch (_) {}
+		try { vm.run(`delete hostObj[realSym];`); } catch (_) {}
+		assert.strictEqual(hostObj[realSym], 'host-set', 'nodejs.util.inspect.custom write/delete leaked');
+	});
+
+	// ---- Stream brand pollution ------------------------------------------------------
+
+	it.cond('write traps: stream brand symbol assignment denied', HAS_STREAM_BRAND_SYMBOLS, function () {
+		const realSym = Symbol.for('nodejs.stream.readable');
+		const hostObj = {};
+		const vm = new VM();
+		vm.sandbox.hostObj = hostObj;
+		vm.sandbox.realSym = realSym;
+		try {
+			vm.run(`hostObj[realSym] = true;`);
+		} catch (_) {}
+		assert.strictEqual(
+			Object.prototype.hasOwnProperty.call(hostObj, realSym),
+			false,
+			'sandbox installed stream brand on host object'
+		);
+	});
+
+	// ---- Sandbox-side enumeration filters --------------------------------------------
+
+	it('isDangerousSymbol covers full nodejs.* set: extracted symbols are filtered', function () {
+		// Even if a host object has a dangerous cross-realm symbol as an own key,
+		// sandbox-side getOwnPropertySymbols / Reflect.ownKeys must filter ALL
+		// 9 known dangerous symbols, not just the original 2.
+		const found = safeRun(`
+			const target = {};
+			// Plant the host-registered symbols on a sandbox object via the
+			// (now-blocked) Symbol.for path. After the fix, Symbol.for returns
+			// a sandbox-local symbol — so this exercise validates that the FULL
+			// pipeline (Symbol.for source-deny + ownKeys filter + descriptor filter)
+			// can never surface the real registry symbols. We don't try to forge
+			// them; we just verify Symbol.for cannot produce them.
+			const probes = [
+				'nodejs.util.inspect.custom',
+				'nodejs.rejection',
+				'nodejs.util.promisify.custom',
+			];
+			const leaked = [];
+			for (let i = 0; i < probes.length; i++) {
+				const s = Symbol.for(probes[i]);
+				if (Symbol.keyFor(s) === probes[i]) leaked.push(probes[i]);
+			}
+			return leaked;
+		`);
+		assert.deepStrictEqual(found, [], 'one or more dangerous symbols leaked: ' + JSON.stringify(found));
+	});
+});