CVE-2026-43998 — HIGH (8.5)

Vulnerability Description

vm2 is an open source vm/sandbox for Node.js. In 3.10.5, NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses path.resolve() (which does not dereference symlinks) but module loading uses Node's native require() (which does), an attacker can load arbitrary host-realm modules and achieve remote code execution. This vulnerability is fixed in 3.11.0.

CVSS Score

8.5

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Vm2 Project	Vm2	3.10.5

Related Weaknesses (CWE)

CWE-59

References

https://github.com/patriksimek/vm2/security/advisories/GHSA-cp6g-6699-wx9cExploitMitigationVendor Advisory
https://github.com/patriksimek/vm2/security/advisories/GHSA-cp6g-6699-wx9cExploitMitigationVendor Advisory

FAQ

What is CVE-2026-43998?

CVE-2026-43998 is a vulnerability with a CVSS score of 8.5 (HIGH). vm2 is an open source vm/sandbox for Node.js. In 3.10.5, NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allo...

How severe is CVE-2026-43998?

CVE-2026-43998 has been rated HIGH with a CVSS base score of 8.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-43998?

Check the references section above for vendor advisories and patch information. Affected products include: Vm2 Project Vm2.