CVE-2026-43998

HIGH

vm2: NodeVM require.root bypass via symlink traversal allows sandbox escape

Title source: cna

Description

vm2 is an open source vm/sandbox for Node.js. In 3.10.5, NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses path.resolve() (which does not dereference symlinks) but module loading uses Node's native require() (which does), an attacker can load arbitrary host-realm modules and achieve remote code execution. This vulnerability is fixed in 3.11.0.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/patriksimek/vm2/security/advisories/GHSA-cp6g-6699-wx9c

Scores

CVSS v3 8.5

EPSS 0.0028

EPSS Percentile 51.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-59

Status published

Products (3)

npm/vm2 3.10.5 - 3.11.0npm

patriksimek/vm2 3.10.5

vm2_project/vm2 3.10.5

Published May 13, 2026

Tracked Since May 13, 2026