Path Traversal Vulnerability in vm2 Sandbox for Node.js by Patrik Simek
CVE-2026-43998

8.5HIGH

Key Information:

Vendor: Patriksimek
Status: Vm2
Vendor: CVE Published:; 13 May 2026

🔔 Create Patriksimek Vulnerability Alert

What is CVE-2026-43998?

The vm2 library, a popular open-source sandboxing solution for Node.js, is susceptible to a path traversal vulnerability in version 3.10.5. This flaw allows attackers to bypass the NodeVM's require.root path restriction by utilizing filesystem symlinks. Due to the discrepancy between path validation methods and module loading processes, attackers can exploit this vulnerability to load arbitrary modules from the host system, potentially leading to remote code execution. The issue has been resolved in version 3.11.0, emphasizing the importance of upgrading to secure the environment against unauthorized access.

Affected Version(s)

vm2 3.10.5

References

https://github.com/patriksimek/vm2/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43998 Data

JSON