External risk intelligence

Attacker can take control of systems running vm2 Node.js library

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-43999

An external attacker can exploit a weakness in the vm2 library to break through security boundaries and run unauthorized software on host servers. This could result in full system compromise and unauthorized access to sensitive company resources.

3Halo Surface Signal

Remote Code Execution

Vm2 Project Vm2

before 3.11.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-43999

vm2 is a library integrated into applications to sandbox untrusted code, not a standalone edge service or appliance. Exposure is entirely dependent on the host application's architecture. While it is often used in internet-facing platforms that process user-supplied code, it is equally likely to be utilized in internal tools or non-public backend processing pipelines.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in the vm2 library allows code running inside a sandbox to bypass restrictions and execute commands on the host system. This is a significant concern because it can lead to complete system compromise even when using the sandboxing features.

  • Could lead to remote code execution.
  • Affects applications using vm2.
  • Bypasses security controls.

Attack Path

How an attacker could exploit the issue

An attacker with low-privileged access could exploit this flaw by tricking a vulnerable Node.js application using `vm2` into executing arbitrary code. By leveraging the bypass of the sandbox's module restrictions, the attacker could load and execute powerful Node.js modules like `child_process`, leading to full control over the host system.

  • Bypasses module allowlist.
  • Executes `child_process` in host context.
  • Requires application using vulnerable `vm2`.

Live Threat

Current exploitation, exposure, and threat context

Attackers are likely to find this vulnerability appealing due to its critical severity and ability to achieve remote code execution by bypassing sandbox restrictions. The ease of exploitation, requiring only a low privilege level and no user interaction, further increases its attractiveness. While not yet listed as a known exploited vulnerability, its critical nature suggests a significant threat.

  • Critical severity and RCE capability.
  • Exploitable with low privilege.
  • No user interaction needed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize updating vm2 to version 3.11.0 to address the bypass of sandbox restrictions that allows remote code execution. If immediate patching is not feasible, isolate services using vulnerable versions of vm2 or monitor for signs of exploitation.

  • Update vm2 to 3.11.0.
  • Isolate affected services if patching is delayed.
  • Monitor for unexpected child_process usage.

Frequently asked questions

What is vm2 and what is it used for?

vm2 is an open-source library for Node.js that creates secure virtual environments, or sandboxes. Developers use it to run untrusted code in isolation, preventing it from accessing or modifying the underlying system. This is crucial for applications that process user-submitted code, like online code editors or scripting platforms.

What kind of vulnerability is CVE-2026-43999 in vm2?

CVE-2026-43999 is a bypass vulnerability. In vm2 versions prior to 3.11.0, a flaw in the way allowed built-in modules were handled meant that an attacker could load modules that should have been restricted, completely circumventing the sandbox's security.

How could an attacker exploit this vm2 vulnerability?

An attacker could exploit this by providing malicious code to an application that uses a vulnerable version of vm2. If the application allows certain built-in modules, the attacker's code could exploit a flaw to load Node.js's `Module._load()` function. This bypasses vm2's restrictions, allowing the attacker to load powerful modules like `child_process` and potentially execute commands on the host system.

Who should be concerned about this vm2 vulnerability?

Organizations using the vm2 library in their Node.js applications should be concerned. According to Halo Surface Signal, this vulnerability has a 'Possible' exposure level, meaning it could be present in internet-facing or internal systems. Developers and security teams need to assess if their applications incorporate vulnerable versions of vm2.

What is the first step to address this vm2 vulnerability?

The most important first step is to update the vm2 library to version 3.11.0 or later. This version contains the fix for the bypass vulnerability. If immediate updating is not possible, consider isolating systems that use vulnerable versions of vm2 until the update can be applied.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified