CRITICAL🇵🇱 Wersja polska

CVE-2026-43997

CVSS 10.0v3.1pub. 2026-05-13upd. 2026-06-30

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.

🤖 AI Analysis
How it works

The vulnerability (CWE-94 — improper control of code generation) consists of the ability to obtain a reference to a host object from code executed inside the sandbox. An example exploitation method is calling the `getOwnPropertySymbols` method on a host object to retrieve the `Symbol(nodejs.util.inspect.custom)` symbol, which enables further manipulation of the Node.js environment outside the sandbox. After gaining access to the host object, an attacker can execute arbitrary code in the context of the host process.

Impact

An attacker can escape from an isolated sandbox and execute arbitrary code on the host server (RCE), which in practice means complete compromise of the system running the application that uses vm2.

Mitigation & patch

The vm2 library must be urgently updated to version 3.11.0 or later, where the vulnerability has been fixed. Details are available in the vendor's references on GitHub Security Advisories.

Who is affected

vm2 library for Node.js in versions prior to 3.11.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Vm2 Project Vm2

    APP
    Vm2 Project
    < 3.11.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-44006CRITICAL10.0PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez BaseHandler.getPrototypeOf (RCE)

CVE-2026-44007CRITICAL9.1PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)

CVE-2026-43999CRITICAL9.9PL ✓ten sam produkt

vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'

CVE-2026-44005CRITICAL10.0PL ✓ten sam produkt

vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)

CVE-2026-44008CRITICAL9.8PL ✓ten sam produkt

Ucieczka z sandboxu vm2 poprzez getter na prototypie tablicy