CVE-2026-43997: CWE-94: Improper Control of Generation of Code ('Code Injection') in patriksimek vm2
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.
AI Analysis
Technical Summary
vm2 is a Node.js sandbox that isolates code execution. Versions prior to 3.11.0 contain a vulnerability (CVE-2026-43997) where the sandbox can be escaped by obtaining the host Object. This is possible through methods like HostObject.getOwnPropertySymbols to retrieve Symbol(nodejs.util.inspect.custom), which can lead to code injection and full sandbox escape. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code). The vulnerability is fixed in version 3.11.0 of vm2.
Potential Impact
Successful exploitation allows an attacker to escape the vm2 sandbox, gaining access to the host environment. This leads to complete compromise of confidentiality, integrity, and availability of the host system running the vulnerable vm2 version. The CVSS 3.1 score of 10.0 reflects the critical nature of this vulnerability.
Mitigation Recommendations
Upgrade vm2 to version 3.11.0 or later, where this vulnerability is fixed. Since the vendor advisory does not explicitly state patch availability beyond the version fix, users should verify the upgrade path and apply the official fix. No other mitigations are indicated.
CVE-2026-43997: CWE-94: Improper Control of Generation of Code ('Code Injection') in patriksimek vm2
Description
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
vm2 is a Node.js sandbox that isolates code execution. Versions prior to 3.11.0 contain a vulnerability (CVE-2026-43997) where the sandbox can be escaped by obtaining the host Object. This is possible through methods like HostObject.getOwnPropertySymbols to retrieve Symbol(nodejs.util.inspect.custom), which can lead to code injection and full sandbox escape. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code). The vulnerability is fixed in version 3.11.0 of vm2.
Potential Impact
Successful exploitation allows an attacker to escape the vm2 sandbox, gaining access to the host environment. This leads to complete compromise of confidentiality, integrity, and availability of the host system running the vulnerable vm2 version. The CVSS 3.1 score of 10.0 reflects the critical nature of this vulnerability.
Mitigation Recommendations
Upgrade vm2 to version 3.11.0 or later, where this vulnerability is fixed. Since the vendor advisory does not explicitly state patch availability beyond the version fix, users should verify the upgrade path and apply the official fix. No other mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-04T20:24:31.917Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a04ba1fcbff5d8610f48250
Added to database: 5/13/2026, 5:51:27 PM
Last enriched: 5/13/2026, 6:08:33 PM
Last updated: 5/14/2026, 6:47:03 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.