4 matches found
CVE-2026-43999
A flaw was found in vm2 before 3.11.0. When the module builtin is allowed including via wildcard, sandboxed code can call Module.load in the host context, bypassing the builtin allowlist and loading excluded modules such as childprocess for remote code execution. Fixed in 3.11.0...
ROOT-APP-NPM-CVE-2026-43999 CVE-2026-43999 in @rootio/vm2 - Patched by Root
Root has patched CVE-2026-43999 in the @rootio/vm2 package for Root:npm. Multiple fixed versions available...
CVE-2026-43999 vm2: NodeVM builtin allowlist bypass via `module` builtin's `Module._load` allows sandbox escape
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed including via the '' wildcard. The module builtin exposes Node's Module.load, which loads any module by name directly in the host context, completely...
CVE-2026-43999
CVE-2026-43999 affects vm2’s NodeVM when the builtins allowlist is configured with a wildcard that includes the module builtin. Prior to version 3.11.0, the module builtin can bypass vm2’s allowlist via Module._load, because vm2 exposes the host’s Module object through a readonly proxy that still...