CVE-2026-43997 | THREATINT

Description

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.

PUBLISHED Reserved 2026-05-04 | Published 2026-05-13 | Updated 2026-05-14 | Assigner GitHub_M

CRITICAL: 10.0CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

< 3.11.0

affected

References

github.com/...ek/vm2/security/advisories/GHSA-47x8-96vw-5wg6 exploit

github.com/...ek/vm2/security/advisories/GHSA-47x8-96vw-5wg6

cve.org (CVE-2026-43997)

nvd.nist.gov (CVE-2026-43997)

Download JSON