Zurück zur CVE-Übersicht
CVE-2026-43997
CRITICAL(10.0)CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Risk Signal Score25/100 — MITTEL
- CVSS 10 — Kritisch
EPSS-Score
1%
Exploit-Wahrscheinlichkeit (30 Tage)
CVSS Score
10
Technische Schwere
Beschreibung
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.
GitHub Advisories
GHSA-47x8-96vw-5wg6CRITICAL
vm2 Access to Host Object Enables Sandbox Escape
npm/vm2→ 3.11.0
GitHub AdvisoryReferenzen
- https://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6
- https://access.redhat.com/security/cve/CVE-2026-43997
- https://bugzilla.redhat.com/show_bug.cgi?id=2477203
- https://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43997.json