CVE-2026-43999
CriticalCVSS 9.9Exploitation Probability (EPSS)
Elevated risk58th percentile — higher than 58% of all known CVEs
Summary
A vulnerability in vm2 prior to 3.11.0 allows bypassing the NodeVM builtin allowlist when the 'builtin' module is allowed (including via the '*' wildcard). Sandboxed code can use Module._load() to load any module in the host context, leading to remote code execution.
Risk Assessment
An attacker can load dangerous modules like child_process, resulting in full server compromise and data exfiltration.
Recommendation
Upgrade vm2 to version 3.11.0 or later immediately. If upgrading is not possible, disable the 'builtin' module in the NodeVM configuration.
Original NVD description (English source)
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module._load(), which loads any module by name directly in the host context, completely bypassing vm2's builtin restriction. This allows sandboxed code to load excluded builtins like child_process and achieve remote code execution. This vulnerability is fixed in 3.11.0.

