CVE Catalog

CVE-2026-43997

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.98%

58th percentile — higher than 58% of all known CVEs

Summary

In the vm2 library for Node.js prior to version 3.11.0, there is a vulnerability that allows obtaining the host object. An attacker can use various methods, e.g., via HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom) and escape the sandbox.

Risk Assessment

The risk involves the possibility of completely bypassing sandbox isolation mechanisms, which can lead to arbitrary code execution on the server and full application compromise.

Recommendation

Immediately update the vm2 library to version 3.11.0 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS