CVE Catalog

CVE-2026-43999

CriticalCVSS 9.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.97%

58th percentile — higher than 58% of all known CVEs

Summary

A vulnerability in vm2 prior to 3.11.0 allows bypassing the NodeVM builtin allowlist when the 'builtin' module is allowed (including via the '*' wildcard). Sandboxed code can use Module._load() to load any module in the host context, leading to remote code execution.

Risk Assessment

An attacker can load dangerous modules like child_process, resulting in full server compromise and data exfiltration.

Recommendation

Upgrade vm2 to version 3.11.0 or later immediately. If upgrading is not possible, disable the 'builtin' module in the NodeVM configuration.

Original NVD description (English source)

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module._load(), which loads any module by name directly in the host context, completely bypassing vm2's builtin restriction. This allows sandboxed code to load excluded builtins like child_process and achieve remote code execution. This vulnerability is fixed in 3.11.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS