CVE DATABASE / CVE-2026-43999

CVE-2026-43999

CVSS 9.9 · CRITICAL

Summary

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module._load(), which loads any module by name directly in the host context, completely bypassing vm2's builtin restriction. This allows sandboxed code to load excluded builtins like child_process and achieve remote code execution. This vulnerability is fixed in 3.11.0.

CVSS 3.1 breakdown

Base score	9.9 (CRITICAL)
Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack vector	NETWORK
Attack complexity	LOW
Privileges required	LOW
User interaction	NONE
Scope	CHANGED
Confidentiality	HIGH
Integrity	HIGH
Availability	HIGH

Weakness type (CWE)

CWE-863

Affected products

Vm2_project vm2

Check this CVE live

Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.

Our coverage

Twelve Critical vm2 Node.js Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution

References

https://github.com/patriksimek/vm2/security/advisories/GHSA-947f-4v7f-x2v8

Data: NIST NVD. NVD last modified 2026-05-14. Always verify against the vendor advisory before acting.