SecBoard
Zurück zur CVE-Übersicht

CVE-2026-43997

CRITICAL(10.0)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Risk Signal Score25/100 — MITTEL
  • CVSS 10 — Kritisch

EPSS-Score

1%

Exploit-Wahrscheinlichkeit (30 Tage)

CVSS Score

10

Technische Schwere

Beschreibung

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.

GitHub Advisories

GHSA-47x8-96vw-5wg6CRITICAL

vm2 Access to Host Object Enables Sandbox Escape

npm/vm23.11.0
GitHub Advisory

Referenzen