CVE-2026-43997 Overview
CVE-2026-43997 is a sandbox escape vulnerability in vm2, an open source virtual machine and sandbox library for Node.js. Versions prior to 3.11.0 allow attackers to obtain a reference to the host Object. Once an attacker holds the host Object, multiple techniques exist to break out of the sandbox, including invoking HostObject.getOwnPropertySymbols to retrieve Symbol(nodejs.util.inspect.custom). The flaw is classified under CWE-94: Improper Control of Generation of Code. The maintainers fixed the issue in version 3.11.0.
Critical Impact
Attackers who can submit untrusted JavaScript to a vm2 sandbox can escape isolation and execute arbitrary code in the host Node.js process.
Affected Products
- vm2 versions prior to 3.11.0
- Node.js applications embedding vm2 for untrusted code execution
- Services using vm2 for plugin systems, serverless functions, or user-supplied scripts
Discovery Timeline
- 2026-05-13 - CVE-2026-43997 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-43997
Vulnerability Analysis
The vm2 library isolates untrusted JavaScript by proxying host objects and intercepting property access. The isolation depends on preventing sandboxed code from ever obtaining a direct reference to a host-realm object. When such a reference leaks, the attacker can use standard JavaScript reflection methods on host objects to reach host globals and Node.js internals.
The advisory identifies one concrete escape path: calling getOwnPropertySymbols on a leaked host Object returns host-realm Symbol values, including Symbol(nodejs.util.inspect.custom). This symbol is a known pivot for executing arbitrary code in the outer realm because it allows sandboxed code to define inspection callbacks that Node.js invokes outside the sandbox boundary.
Root Cause
The root cause is incomplete proxying of host-realm objects within vm2. The library's contextification layer fails to fully wrap or sanitize at least one path through which a host Object reference becomes reachable from sandboxed code. Because vm2's entire security model rests on preventing host-object leakage, any such leak collapses the trust boundary.
Attack Vector
Exploitation requires only the ability to run JavaScript inside the vm2 sandbox. No authentication, user interaction, or local access is required when the sandbox is exposed over a network service. The attacker submits crafted JavaScript that triggers the leak, retrieves the host Object, walks its property symbols, and uses nodejs.util.inspect.custom or similar primitives to execute code in the host context. From there, the attacker can read files, spawn processes, or pivot through the host system. Technical details are documented in the GitHub Security Advisory GHSA-47x8-96vw-5wg6.
Detection Methods for CVE-2026-43997
Indicators of Compromise
- Node.js processes spawning unexpected child processes such as sh, bash, cmd.exe, or powershell.exe from a service that runs vm2
- Outbound network connections from Node.js services that historically only served HTTP requests
- File system reads outside the application directory by Node.js workers handling user-submitted scripts
- Unexpected use of require, process, or child_process resolved at runtime in sandboxed workloads
Detection Strategies
- Inventory all Node.js applications and identify any dependency on vm2 below version 3.11.0 using npm ls vm2 or software composition analysis tools
- Monitor process trees for Node.js parents spawning shells or interpreters, which indicates likely sandbox escape
- Alert on file or network access from sandbox worker processes that exceeds their documented scope
Monitoring Recommendations
- Forward Node.js process telemetry, including child-process creation and outbound connections, into a centralized analytics platform
- Track CI/CD and dependency manifests for reintroduction of vm2 versions below 3.11.0
- Review application logs for runtime errors referencing inspect.custom, getOwnPropertySymbols, or proxy traps, which may indicate exploitation attempts
How to Mitigate CVE-2026-43997
Immediate Actions Required
- Upgrade vm2 to version 3.11.0 or later in all Node.js projects
- Audit dependency trees with npm ls vm2 and yarn why vm2 to find transitive uses
- Treat any host accepting untrusted scripts through vm2 as potentially compromised and review process and network logs
- Plan migration away from vm2, which the maintainers have deprecated in favor of stronger isolation primitives
Patch Information
The vulnerability is fixed in vm2 version 3.11.0. Update the dependency in package.json and run npm install or yarn install to apply the fix. Verify the resolved version with npm ls vm2. Refer to the GitHub Security Advisory GHSA-47x8-96vw-5wg6 for upstream guidance.
Workarounds
- Where immediate upgrade is not possible, disable or restrict endpoints that pass untrusted code to vm2
- Run Node.js services that use vm2 inside containers or VMs with seccomp, AppArmor, or SELinux profiles that block process spawning and outbound network access
- Migrate to alternative isolation mechanisms such as isolated-vm, separate Node.js worker processes with strict IPC, or WebAssembly-based sandboxes
# Update vm2 to the patched release
npm install vm2@^3.11.0
# Verify installed version
npm ls vm2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
