CVE-2026-43997

CRITICAL

vm2: Sandbox Escape

Title source: cna
STIX 2.1

Description

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.

Scores

CVSS v3 10.0
EPSS 0.0098
EPSS Percentile 58.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-653 CWE-94
Status published
Products (3)
npm/vm2 0 - 3.11.0npm
patriksimek/vm2 < 3.11.0
vm2_project/vm2 < 3.11.0
Published May 13, 2026
Tracked Since May 13, 2026