CVE-2026-43999

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.0

Description NodeVM's builtin allowlist can be bypassed when the module builtin is allowed, including when the * wildcard is used. The module builtin exposes Node's Module. load() function, which loads any module by name directly in the host context, completely bypassing restrictions. This allows sandboxed code to load excluded builtins, such as child process, leading to remote code execution on the host system.

Recommendations Update to version 3.11.0. As a temporary workaround, explicitly exclude the module builtin from the allowlist configuration to prevent sandboxed code from accessing Module. load().