CVE-2026-43999: Critical vm2 Sandbox Bypass Leads to RCE
The National Vulnerability Database has disclosed CVE-2026-43999, a critical vulnerability in vm2, an open-source sandbox for Node.js. This flaw, rated 9.9 CVSS, allows for a complete bypass of the sandbox’s security mechanisms, leading to remote code execution (RCE).
The vulnerability stems from an insecure default configuration where allowing the module builtin (including via a wildcard *) exposes Node’s Module._load(). This function, when accessible, loads any module directly into the host context, completely circumventing vm2’s intended restrictions. Attackers can leverage this to load excluded builtins like child_process, enabling arbitrary code execution outside the sandbox.
This is a fundamental failure of isolation. For any application relying on vm2 for secure code execution, particularly in multi-tenant environments or when processing untrusted input, this flaw is catastrophic. It means the sandbox provides no meaningful security boundary. The fix is available in vm2 version 3.11.0, and immediate upgrade is imperative for all users.
What This Means For You
- If your applications utilize vm2 for sandboxing untrusted Node.js code, you are critically exposed. This isn't just a bypass; it's a complete nullification of the sandbox's security guarantees. Immediately audit your vm2 version and upgrade to 3.11.0 or later. Prioritize this patch, as the attacker's path to RCE is direct and unhindered if this vulnerability exists.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-43999: vm2 Module Bypass with child_process
title: CVE-2026-43999: vm2 Module Bypass with child_process
id: scw-2026-05-13-ai-1
status: experimental
level: critical
description: |
Detects the exploitation of CVE-2026-43999 by identifying Node.js processes (ParentImage) that are attempting to load the 'child_process' module (CommandLine) via the vm2 sandbox bypass. This indicates a potential RCE attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-43999/
tags:
- attack.execution
- attack.t1059.006
logsource:
category: process_creation
detection:
selection:
ParentImage|contains:
- 'node.exe'
CommandLine|contains:
- 'require(\'child_process\')'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-43999 | RCE | vm2 Node.js sandbox prior to version 3.11.0 |
| CVE-2026-43999 | Auth Bypass | vm2 NodeVM's builtin allowlist bypass when 'module' builtin is allowed |
| CVE-2026-43999 | Code Injection | vm2 Node's Module._load() exposing host context |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-44351: Critical fast-jwt Auth Bypass via Empty Key
CVE-2026-44351 — fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated...
CVE-2026-42552: Flight PHP Framework Leaks Critical Server Info
CVE-2026-42552 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and...
Flight PHP Framework CVE-2026-42551: CSRF & Cache Poisoning Risk
CVE-2026-42551 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP...