CVE-2026-43998 Overview
CVE-2026-43998 is a sandbox escape vulnerability in vm2, an open source virtual machine and sandbox library for Node.js. The flaw affects version 3.10.5 and allows sandboxed code to bypass the NodeVMrequire.root path restriction using filesystem symbolic links. Path validation uses path.resolve(), which does not dereference symlinks, while module loading uses Node's native require(), which does. This inconsistency lets attackers load arbitrary host-realm modules and achieve remote code execution. The maintainers fixed the issue in version 3.11.0.
Critical Impact
Sandboxed code can escape the vm2NodeVM boundary, load arbitrary modules from the host, and execute code outside the sandbox context.
Affected Products
- vm2 version 3.10.5 (vm2_project)
- Node.js applications embedding vm2NodeVM with require.root restrictions
- Downstream packages that rely on vm2 for untrusted code execution
Discovery Timeline
- 2026-05-13 - CVE-2026-43998 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-43998
Vulnerability Analysis
The vulnerability is a symlink-based path validation bypass classified as [CWE-59] (Improper Link Resolution Before File Access, or Link Following). vm2NodeVM exposes a require.root option intended to confine sandboxed require() calls to a specific directory tree on the host. When sandboxed code calls require(), vm2 validates the requested module path against this root before delegating loading to Node.js.
The defect lies in the asymmetry between validation and loading. vm2 normalizes the requested path with path.resolve(), which performs lexical path resolution and does not follow symbolic links. Node's underlying require() implementation, however, resolves the real filesystem path and follows symlinks during module loading. An attacker who can place or reference a symlink inside the allowed root can therefore make a path appear compliant during validation while pointing to an arbitrary file outside the root at load time.
Once a host-realm module is loaded, code executes with the privileges of the host Node.js process rather than the sandbox, giving the attacker full remote code execution. Exploitation requires the attacker to control sandboxed code and to influence symlinks within the configured root, which is reflected in the high attack complexity and low privilege requirements.
Root Cause
The root cause is inconsistent path canonicalization between security checks and the privileged operation that follows. path.resolve() returns a lexically normalized string, while fs.realpath() or equivalent symlink dereferencing is required to enforce a true filesystem boundary. Skipping that step leaves a time-of-check to time-of-use style gap that symlinks exploit deterministically.
Attack Vector
The attack vector is network-reachable through any application that passes attacker-influenced code to a vm2NodeVM configured with require.root. The attacker crafts a module path that lexically resides inside require.root but resolves through a symlink to a target outside the root, such as a privileged Node module or a shell-bridging library. Calling require() on that path triggers host-realm code execution.
No verified public proof-of-concept is referenced in the advisory. See the GitHub Security Advisory GHSA-cp6g-6699-wx9c for maintainer details.
Detection Methods for CVE-2026-43998
Indicators of Compromise
- Symbolic links created inside any directory configured as require.root for vm2, especially links pointing outside that tree.
- Node.js processes loading modules from paths outside the declared sandbox root shortly after sandboxed require() calls.
- Unexpected child processes such as /bin/sh, cmd.exe, or node spawned by an application that normally only evaluates sandboxed scripts.
Detection Strategies
- Audit application dependencies for vm2 at version 3.10.5 or earlier using npm ls vm2 or software composition analysis tooling.
- Instrument host Node.js processes to log resolved module paths and compare them against the configured require.root value.
- Monitor filesystem activity inside sandbox roots for symlink(2) syscalls or new entries where lstat and stat disagree.
Monitoring Recommendations
- Alert on Node.js processes embedding vm2 that execute outbound network connections or spawn shells after evaluating untrusted input.
- Capture process lineage and file access telemetry for services that accept user-supplied scripts, plugins, or templates.
- Review application logs for vm2require() calls referencing paths containing .. segments or unusual directory traversals.
How to Mitigate CVE-2026-43998
Immediate Actions Required
- Upgrade vm2 to version 3.11.0 or later in all affected applications and rebuild dependent services.
- Inventory every service that embeds vm2 and confirm the resolved version after upgrade with npm ls vm2.
- Treat any code executed inside vm2 as untrusted and reassess whether vm2 is appropriate for the threat model, since the project is widely considered deprecated for strong isolation.
Patch Information
The maintainers fixed CVE-2026-43998 in vm2 version 3.11.0. The patch enforces consistent path resolution so that symlink targets are evaluated against require.root before native require() is invoked. Full details are published in the GitHub Security Advisory GHSA-cp6g-6699-wx9c.
Workarounds
- If immediate upgrade is not possible, disable require in NodeVM configuration or set require.external to false to block module loading from sandboxed code.
- Run the Node.js host process under a restricted user with read-only access to directories outside require.root and no privileged binaries on PATH.
- Place sandbox roots on filesystems mounted with nosymfollow where supported, or pre-validate roots to contain no symbolic links.
# Configuration example
npm install vm2@3.11.0
npm ls vm2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
