CVE-2026-43999: CWE-863: Incorrect Authorization in patriksimek vm2
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module._load(), which loads any module by name directly in the host context, completely bypassing vm2's builtin restriction. This allows sandboxed code to load excluded builtins like child_process and achieve remote code execution. This vulnerability is fixed in 3.11.0.
AI Analysis
Technical Summary
The patriksimek vm2 Node.js sandbox prior to version 3.11.0 contains an incorrect authorization vulnerability (CWE-863) where the builtin allowlist can be bypassed if the 'builtin' module is allowed, including via wildcard '*'. This is because the 'builtin' module exposes Node.js's internal Module._load() function, which can load any module by name in the host context. As a result, sandboxed code can load restricted built-in modules such as child_process, enabling remote code execution outside the sandbox. This vulnerability is addressed in vm2 version 3.11.0.
Potential Impact
Successful exploitation allows sandboxed code to bypass vm2's builtin module restrictions and load any Node.js module directly in the host context, including sensitive modules like child_process. This can lead to remote code execution with the privileges of the host process, compromising confidentiality, integrity, and availability of the affected system. The CVSS score of 9.9 reflects the critical nature of this vulnerability.
Mitigation Recommendations
Upgrade to patriksimek vm2 version 3.11.0 or later, where this vulnerability is fixed. Since no official patch links or vendor advisories are provided, confirm upgrade availability from the official vm2 repository or vendor channels. There is no indication that temporary mitigations or workarounds exist. Patch status is not explicitly confirmed beyond the version fix note; therefore, verify with the vendor for current remediation guidance.
CVE-2026-43999: CWE-863: Incorrect Authorization in patriksimek vm2
Description
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module._load(), which loads any module by name directly in the host context, completely bypassing vm2's builtin restriction. This allows sandboxed code to load excluded builtins like child_process and achieve remote code execution. This vulnerability is fixed in 3.11.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The patriksimek vm2 Node.js sandbox prior to version 3.11.0 contains an incorrect authorization vulnerability (CWE-863) where the builtin allowlist can be bypassed if the 'builtin' module is allowed, including via wildcard '*'. This is because the 'builtin' module exposes Node.js's internal Module._load() function, which can load any module by name in the host context. As a result, sandboxed code can load restricted built-in modules such as child_process, enabling remote code execution outside the sandbox. This vulnerability is addressed in vm2 version 3.11.0.
Potential Impact
Successful exploitation allows sandboxed code to bypass vm2's builtin module restrictions and load any Node.js module directly in the host context, including sensitive modules like child_process. This can lead to remote code execution with the privileges of the host process, compromising confidentiality, integrity, and availability of the affected system. The CVSS score of 9.9 reflects the critical nature of this vulnerability.
Mitigation Recommendations
Upgrade to patriksimek vm2 version 3.11.0 or later, where this vulnerability is fixed. Since no official patch links or vendor advisories are provided, confirm upgrade availability from the official vm2 repository or vendor channels. There is no indication that temporary mitigations or workarounds exist. Patch status is not explicitly confirmed beyond the version fix note; therefore, verify with the vendor for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-04T20:24:31.917Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a04ba1fcbff5d8610f48256
Added to database: 5/13/2026, 5:51:27 PM
Last enriched: 5/13/2026, 6:08:18 PM
Last updated: 5/14/2026, 6:47:33 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.