A perfect-10 CVSS code-injection flaw in the widely used Node.js sandboxing library vm2 allows unauthenticated remote attackers to break out of the sandbox entirely and execute arbitrary system commands on the host with no privileges and no user interaction required.
Security researcher c0rydoras has uncovered a devastating critical-severity vulnerability in vm2, one of the most popular Node.js libraries for running untrusted code in an isolated sandbox environment.
Tracked as CVE-2026-43997 and published via GitHub Security Advisory GHSA-47×8-96vw-5wg6, the flaw carries a maximum CVSS v3.1 score of 10.0, making it among the most severe vulnerabilities disclosed in the Node.js ecosystem in recent memory. The vulnerability affects all VM2 versions up to and including 3.10.5 and has been patched in version 3.11.0.
vm2 is a Node.js sandboxing library that safely executes untrusted user-supplied JavaScript code by isolating it from the host environment. It is embedded in thousands of production applications from online code playgrounds and server-side code evaluation engines to developer tools and SaaS platforms that allow user-defined automation logic.
The library’s core security promise is containment: code running inside the VM2 sandbox should never be able to reach the host system’s processes, file system, or network. CVE-2026-43997 shatters that promise entirely.
vm2 Escape Sandbox Vulnerability
The root cause of CVE-2026-43997 lies in the incomplete sandbox isolation of the host Object. While maintainer Patrik Simek had previously attempted to patch related host-object access vectors in commit ebcfe94, those protections proved insufficient against a more sophisticated attack chain.
The vulnerability is classified under CWE-94 (Improper Control of Generation of Code Code Injection): the sandbox fails to neutralize attacker-controlled input that can modify code execution behavior.
Critically, the attack vector is Network, the attack complexity is Low, no privileges are required, and no user interaction is needed with a Changed scope, meaning a successful exploit crosses the containment boundary from the sandbox into the host.
The CVSS v3.1 vector is: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. This translates to a high impact on confidentiality, integrity, and availability on the host, representing a full system compromise.
The published Proof-of-Concept (PoC) demonstrates a multi-step JavaScript chain that escapes the sandbox and achieves Remote Code Execution (RCE). At a high level, the attack proceeds as follows:
- Prototype chain traversal – The attacker uses
__lookupGetter__on a plain object andBuffer.applyto climb the prototype chain and reach the raw hostObjectconstructor. - Host symbol extraction –
HObject.getOwnPropertySymbols(Buffer.prototype)retrievesSymbol(nodejs.util.inspect.custom), a Node.js internal symbol that controls how objects are displayed during inspection. - Malicious inspect callback – A crafted object is constructed using that symbol as a computed property key. The handler invokes
inspect.constructor(...)(), effectively reaching the hostFunctionconstructor from inside the sandbox. - Shell command execution – The attacker calls
child_process.execSync('ls', {stdio:'inherit'})or any arbitrary OS command through the escapedFunctionconstructor. - Trigger via WebAssembly –
WebAssembly.compileStreaming(obj).catch(() => {})triggers the inspect callback pathway, completing the exploit chain with zero user interaction.
CVE-2026-43997 is not an isolated incident. The vm2 library has accumulated a troubling history of critical sandbox escapes throughout 2025 and 2026. Earlier this year, CVE-2026-22709 (CVSS 9.8) was disclosed, allowing attackers to bypass Promise callback sanitization and achieve arbitrary code execution.
Flaw rooted in inconsistent sanitization between localPromise and globalPromise prototype methods. A wave of twelve additional VM2 vulnerabilities, all with CVSS scores reaching 9.8 or higher, was disclosed in May 2026.
These include CVE-2026-24118 (sandbox escape via __lookupGetter__), CVE-2026-24781 (escape via the inspect function), CVE-2026-26956 (Symbol-to-string coercion TypeError bypass), and CVE-2026-24120 (a patch bypass for the older CVE-2023-37466).
The sheer volume of critical bypasses discovered in quick succession signals a systemic architectural weakness in how VM2 isolates the JavaScript runtime, rather than discrete, patchable bugs.
Patch & Mitigation
All users of VM2 should take the following immediate steps:
- Upgrade to vm2 3.11.0 or later (ideally the latest stable release, 3.11.2) to patch CVE-2026-43997 and the full batch of recently disclosed flaws.
- Audit all dependency trees for transitive VM2 usage using
npm auditor a software composition analysis (SCA) tool. - Apply runtime mitigations as a defense-in-depth layer: restrict network egress on the Node.js process, run the process under a least-privilege OS account, and consider adding RASP tooling to monitor for anomalous system calls.
- Evaluate architectural migration away from VM2 entirely. Given vm2’s repeated critical failures, security teams should evaluate alternatives such as isolated worker threads, WASM-based sandboxes, or containerized execution environments for running untrusted code.
| Field | Details |
|---|---|
| CVE ID | CVE-2026-43997 |
| Advisory | GHSA-47×8-96vw-5wg6 |
| Package | vm2 (npm) |
| Affected Versions | ≤ 3.10.5 |
| Patched Version | 3.11.0 |
| CVSS v3.1 Score | 10.0 (Critical) |
| CWE | CWE-94 (Code Injection) |
| Attack Vector | Network |
| Privileges Required | None |
| Scope | Changed (Sandbox → Host) |
| Impact | Remote Code Execution |
FAQ
Q1: What versions of VM2 are affected by CVE-2026-43997?
All vm2 versions up to and including 3.10.5 are vulnerable; the fix is available in version 3.11.0 and later.
Q2: Can CVE-2026-43997 be exploited remotely without authentication?
Yes, the CVSS vector confirms a network attack vector, no privileges required, and no user interaction needed, making it remotely exploitable by any unauthenticated attacker.
Q3: Is a public Proof-of-Concept (PoC) available for this vulnerability?
Yes, a working PoC was published as part of the GitHub Security Advisory GHSA-47×8-96vw-5wg6, demonstrating full RCE via the host Object and inspect symbol chain.
Q4: Should I migrate away from VM2, given its repeated vulnerabilities?
Security experts strongly recommend evaluating alternatives, as VM2 has suffered over a dozen critical sandbox escapes in rapid succession, indicating deep architectural isolation weaknesses rather than isolated bugs.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
