Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-43997

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.

View on NVD

Analysis

A critical sandbox escape vulnerability has been identified in the vm2 library for Node.js. Attackers can obtain host objects to bypass the sandbox and execute arbitrary code on the underlying system. If your stack relies on vm2 to run untrusted code, update to version 3.11.0 immediately.

Severity

Score: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-94

EPSS

No EPSS score yet (CVE may be too fresh).

Technical description

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.

Published: 5/13/2026, 6:16:16 PM
Last modified: 5/13/2026, 7:17:25 PM

References

HomeEventsBlogResourcesTeam