CVE-2026-43999

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-43999

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43999.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-43999

Aliases

GHSA-947f-4v7f-x2v8

Downstream

ROOT-APP-NPM-CVE-2026-43999

Published

2026-05-13T17:21:22.308Z

Modified

2026-05-28T03:54:49.034181950Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

vm2: NodeVM builtin allowlist bypass via `module` builtin's `Module._load` allows sandbox escape

Details

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module.load(), which loads any module by name directly in the host context, completely bypassing vm2's builtin restriction. This allows sandboxed code to load excluded builtins like childprocess and achieve remote code execution. This vulnerability is fixed in 3.11.0.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43999.json",
    "cwe_ids": [
        "CWE-863"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/patriksimek/vm2

Affected ranges

Type: GIT
Repo: https://github.com/patriksimek/vm2
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

fca270df73b64a88e2f9ce71ac17663b6eaf814e

Affected versions

3.*

3.9.10

3.9.11

3.9.12

3.9.13

3.9.14

3.9.15

3.9.16

3.9.17

3.9.18

3.9.19

3.9.3

3.9.4

3.9.5

3.9.6

3.9.7

3.9.8

3.9.9

v3.*

v3.10.0

v3.10.1

v3.10.2

v3.10.3

v3.10.4

v3.10.5

v3.9.0

v3.9.1

v3.9.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43999.json"