cbcvebase.
CVE-2026-43999
published 2026-05-13

CVE-2026-43999: vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the…

PriorityP270critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.97%
57.6th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module._load(), which loads any module by name directly in the host context, completely bypassing vm2's builtin restriction. This allows sandboxed code to load excluded builtins like child_process and achieve remote code execution. This vulnerability is fixed in 3.11.0.

Affected

5 ranges
VendorProductVersion rangeFixed in
ansible-automation-platformautomation-portal
patriksimekvm2< 3.11.03.11.0
rhdhrhdh-hub-rhel9
vm2_projectvm2< 3.11.03.11.0
vm2_projectvm2>= 3.10.5 < 3.11.03.11.0

Detection & IOCsextracted from sources · hover to see the quote

  • Sandboxed code calling Module._load() in the host context via the 'module' builtin should be flagged as exploitation of the vm2 builtin allowlist bypass
  • Monitor for vm2 NodeVM configurations that allow the 'module' builtin or use the '*' wildcard in the require allowlist, as these are the preconditions for exploitation
  • Alert on sandboxed code that loads 'child_process' or other excluded builtins, which is the post-exploitation indicator of this bypass being used for RCE
  • Flag vm2 versions prior to 3.11.0 in Node.js environments as vulnerable; inventory and prioritize upgrade
  • ·Any vm2 NodeVM configuration that permits the 'module' builtin — explicitly or via the '*' wildcard — is exploitable; this is the root configuration flaw enabling the bypass
  • ·Do not use wildcard '*' in NodeVM require/builtin configuration, as it implicitly allows 'module' and exposes Module._load() to sandboxed code
  • ·Red Hat Developer Hub (rhdh/rhdh-hub-rhel9) and Self-service automation portal 2 (ansible-automation-platform/automation-portal) are under investigation for impact from this CVE

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.9CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.