CVE 9.9 CRITICAL

vm2: NodeVM builtin allowlist bypass via `module` builtin’s `Module._load` allows sandbox escape_CVE-2026-43999

May 13, 2026 invoker category_cve

9.9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module._load(), which loads any module by name directly in the host context, completely bypassing vm2's builtin restriction. This allows sandboxed code to load excluded builtins like child_process and achieve remote code execution. This vulnerability is fixed in 3.11.0.

AI Analysis

NodeVM's builtin allowlist can be bypassed, allowing sandboxed code to load excluded builtins and achieve remote code execution

Basic Information

ID CVE-2026-43999

Source GitHub_M

Published May 13, 2026 at 17:21

Affected Product

Vendor patriksimek

Product vm2

Version < 3.11.0

Affected Versions patriksimek vm2 < 3.11.0

CWE Classification

CWE-863

AI Assessment

AI Score 9.9 / 10

AI Severity Critical

Vendor patriksimek

Product vm2

Version < 3.11.0

References

github.com /patriksimek/vm2/security/advisories/GHSA-947f-4v7f-x2v8

{
    "lastseen": "",
    "description": "vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module._load(), which loads any module by name directly in the host context, completely bypassing vm2's builtin restriction. This allows sandboxed code to load excluded builtins like child_process and achieve remote code execution. This vulnerability is fixed in 3.11.0.",
    "published": "2026-05-13T17:21:22.308Z",
    "modified": "2026-05-13T17:21:22.308Z",
    "type": "cve",
    "title": "vm2: NodeVM builtin allowlist bypass via `module` builtin's `Module._load` allows sandbox escape",
    "source": "GitHub_M",
    "references": "https://github.com/patriksimek/vm2/security/advisories/GHSA-947f-4v7f-x2v8",
    "id": "CVE-2026-43999",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "patriksimek vm2 < 3.11.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "vm2",
    "version": "< 3.11.0",
    "vendor": "patriksimek",
    "ai_description": "NodeVM's builtin allowlist can be bypassed, allowing sandboxed code to load excluded builtins and achieve remote code execution",
    "ai_severity": "Critical",
    "ai_vendor": "patriksimek",
    "ai_product": "vm2",
    "ai_version": "< 3.11.0",
    "ai_score": 9.9
}

💭 Join the Security Discussion ❌ Cancel Reply