CVE-2026-43997
CriticalCVSS 10.0Exploitation Probability (EPSS)
Elevated risk58th percentile — higher than 58% of all known CVEs
Summary
In the vm2 library for Node.js prior to version 3.11.0, there is a vulnerability that allows obtaining the host object. An attacker can use various methods, e.g., via HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom) and escape the sandbox.
Risk Assessment
The risk involves the possibility of completely bypassing sandbox isolation mechanisms, which can lead to arbitrary code execution on the server and full application compromise.
Recommendation
Immediately update the vm2 library to version 3.11.0 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.

