CVE-2026-43998

Patriksimek · vm2

The vm2 Node.js sandbox environment is vulnerable to improper link resolution, allowing attackers to bypass sandbox restrictions via link following.

Executive summary

A high-severity sandbox escape vulnerability in the vm2 library allows authenticated attackers to execute arbitrary code with host-level permissions.

Vulnerability

This vulnerability is caused by improper link resolution before file access (CWE-59), which permits an attacker with low-level privileges to bypass the sandbox environment and interact with the host filesystem.

Business impact

The ability to escape a sandboxed environment represents a critical security failure, as it allows unauthorized access to the underlying host system. Given the CVSS score of 8.5, this flaw poses a significant risk of full system compromise, data exfiltration, or lateral movement within the network.

Remediation

Immediate Action: Update the vm2 package to version 3.11.0 or later as specified by the OSV advisory.

Proactive Monitoring: Monitor application logs for unusual file system access patterns or attempts to traverse directories outside of the designated sandbox.

Compensating Controls: If immediate patching is not possible, implement strict filesystem permissions for the Node.js process to limit the impact of a potential escape.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

Organizations utilizing the vm2 library must prioritize updating to version 3.11.0 immediately. The presence of a proof-of-concept combined with the potential for total system impact necessitates rapid remediation to prevent host-level exploitation.