Critical severity9.9GHSA Advisory· Published May 13, 2026· Updated May 14, 2026
CVE-2026-43999
CVE-2026-43999
Description
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module._load(), which loads any module by name directly in the host context, completely bypassing vm2's builtin restriction. This allows sandboxed code to load excluded builtins like child_process and achieve remote code execution. This vulnerability is fixed in 3.11.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vm2npm | >= 3.10.5, < 3.11.0 | 3.11.0 |
Affected products
1- Range: = 3.10.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/patriksimek/vm2/security/advisories/GHSA-947f-4v7f-x2v8nvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-947f-4v7f-x2v8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-43999ghsaADVISORY
News mentions
0No linked articles in our index yet.