Back to CVE risk briefs

External risk intelligence

vm2 sandbox could allow external attackers to compromise host servers

The vm2 Node.js sandbox could allow external attackers to escape the sandbox and compromise host servers, potentially exposing operational systems, sensitive files, or system-level credentials. This is currently a theoretical risk with no evidence of active exploitation.

NVD published May 13, 2026 (2 days ago)

External risk briefCRITICAL

CVE-2026-43997

Halo Surface Signal

2/ 5

The vulnerability exists within a library used as an internal application component rather than a standalone network service. Its reachability is indirect, dependent on the host application's design and public accessibility. Consequently, direct internet exposure of the vulnerable component is uncommon, as it typically resides behind application-layer logic.

Exposure facts

CVSS
10.0
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
0.05%

H – Horizon Alert

A security vulnerability has been identified in vm2, a tool used to safely isolate code execution within Node.js environments. This flaw allows unauthorized access to the underlying "host" system by bypassing the sandbox's intended security boundaries. This sandbox escape represents a potential concern, as it could grant unauthorized access to the broader system infrastructure where the isolated code is running.

A – Asset Exposure

This vulnerability impacts Node.js applications that utilize the specific sandbox library to isolate untrusted code. A successful escape from this isolation could grant unauthorized access to the underlying host server, potentially compromising operational systems, sensitive files, or system-level credentials. As this library serves as an internal component, exposure risk depends on whether the application processes untrusted input within these sandboxed environments.

L – Live Threat

The available context does not indicate active exploitation or observed targeting at this time. While technical documentation describes a specific method for bypassing the sandbox environment, there is no evidence that this has been utilized in malicious activity. Consequently, we are currently treating this as a theoretical risk without observed external threats.

O – Operational Fix

To address the sandbox security risk associated with the `vm2` library, please have your development team apply the latest available update. Updating this package will remediate the vulnerability that potentially allows unauthorized access to the host environment. We recommend prioritizing this transition to the updated release within your standard maintenance cycles to maintain the integrity of your Node.js infrastructure.

References