CVE-2026-43997
published 2026-05-13CVE-2026-43997: vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to…
PriorityP357critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.98%
57.7th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform | automation-portal | — | — |
| patriksimek | vm2 | < 3.11.0 | 3.11.0 |
| rhdh | rhdh-hub-rhel9 | — | — |
| vm2_project | vm2 | < 3.11.0 | 3.11.0 |
| vm2_project | vm2 | >= 0 < 3.11.0 | 3.11.0 |
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
patriksimek vm2 up to 3.10.x code injection (GHSA-47x8-96vw-5wg6)
vuldb·2026-05-13·CVSS 10.0
CVE-2026-43997 [CRITICAL] patriksimek vm2 up to 3.10.x code injection (GHSA-47x8-96vw-5wg6)
A vulnerability was found in patriksimek vm2 up to 3.10.x and classified as critical. This affects an unknown function. Such manipulation leads to code injection.
This vulnerability is listed as CVE-2026-43997. The attack may be performed from remote. There is no available exploit.
It is suggested to upgrade the affected component.
GHSA
vm2 Access to Host Object Enables Sandbox Escape
ghsa·2026-05-07
CVE-2026-43997 [CRITICAL] CWE-94 vm2 Access to Host Object Enables Sandbox Escape
vm2 Access to Host Object Enables Sandbox Escape
### Summary
It is possible to obtain the host `Object`, https://github.com/patriksimek/vm2/commit/ebcfe94ad2f864f0bc35e78cff1d921107cfd160 added some protections, but the implementation is incomplete.
### Details
There are various ways to use the host `Object`, to escape the sandbox, one example would be using `HostObject.getOwnPropertySymbols` to obtain `Symbol(nodejs.util.inspect.custom)`
### PoC
```js
const g = {}.__lookupGetter__;
const a = Buffer.apply;
const p = a.apply(g, [Buffer, ['__proto__']]);
const o = p.call(p.call(a));
const HObject = o.constructor;
sym = HObject.getOwnPropertySymbols(Buffer.prototype).at(0);
const obj = {
[sym]: (depth, opt, inspect) => {
inspect.constructor("return process.getBuiltinModule('child_proce
Red Hat
vm2: vm2: Arbitrary code execution via sandbox escape
vendor_redhat·2026-05-13·CVSS 10.0
CVE-2026-43997 [CRITICAL] CWE-653 vm2: vm2: Arbitrary code execution via sandbox escape
vm2: vm2: Arbitrary code execution via sandbox escape
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.
A flaw was found in vm2 (before 3.11.0), a Node.js sandbox library. Sandboxed code can obtain the host Object (e.g. via HostObject.getOwnPropertySymbols and Symbol(nodejs.util.inspect.custom)), bypassing isolation and enabling arbitrary code execution on the host.
Statement: vm2 is vulnerable to sandbox escape via host Object leakage in the VM bridge. A remote unauthenticated attacker who can submit code to a vm2 sandbo
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-43997 vm2: vm2: Arbitrary code execution via sandbox escape
bugzilla·2026-05-13·CVSS 10.0
CVE-2026-43997 [CRITICAL] CVE-2026-43997 vm2: vm2: Arbitrary code execution via sandbox escape
CVE-2026-43997 vm2: vm2: Arbitrary code execution via sandbox escape
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.
Hackernews
vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution
blogs_hackernews·2026-05-07·CVSS 10.0
CVE-2026-24118 [CRITICAL] vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution
A dozen critical security vulnerabilities have been disclosed in the vm2 Node.js library that could be exploited by bad actors to break out of the sandbox and execute arbitrary code on susceptible systems.
vm2 is an open-source library used to run untrusted JavaScript code inside a secure sandbox by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host environment.
The security flaws are listed below -
CVE-2026-24118 (CVSS score: 9.8) - A vulnerability that allows sandbox escape via "__lookupGette
https://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6https://access.redhat.com/security/cve/CVE-2026-43997https://bugzilla.redhat.com/show_bug.cgi?id=2477203https://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43997.json
2026-05-13
Published