Description
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.
References (4)
Core 4
Core References
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2026-43997
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2477203
X_Refsource_Confirm x_refsource_confirm
https://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6
Scores
CVSS v3
10.0
EPSS
0.0098
EPSS Percentile
58.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-653
CWE-94
Status
published
Products (3)
npm/vm2
0 - 3.11.0npm
patriksimek/vm2
< 3.11.0
vm2_project/vm2
< 3.11.0
Published
May 13, 2026
Tracked Since
May 13, 2026