Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-43997

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.

Ver en NVD

Análisis

A critical sandbox escape vulnerability has been identified in the vm2 library for Node.js. Attackers can obtain host objects to bypass the sandbox and execute arbitrary code on the underlying system. If your stack relies on vm2 to run untrusted code, update to version 3.11.0 immediately.

Severidad

Puntaje: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-94

EPSS

Sin puntaje EPSS aún (CVE muy reciente).

Descripción técnica

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.

Publicada: 13/5/2026, 18:16:16
Última modificación: 13/5/2026, 19:17:25

Referencias

InicioEventosBlogRecursosEquipo